[ISN] Metasploit Creator Releases Malware Search Engine

From: InfoSec News (alerts@private)
Date: Mon Jul 17 2006 - 22:45:37 PDT


http://www.eweek.com/article2/0,1895,1990158,00.asp

By Ryan Naraine 
July 17, 2006 

H.D. Moore, creator of the Metasploit hacking tool and the security 
researcher behind the MoBB (Month of Browser Bugs) project, has released a 
search engine that finds live malware samples through Google queries.

The new Malware Search engine provides a Web interface that allows anyone 
to enter the name of a known virus or Trojan and find Google results for 
Web sites hosting malicious executables.

The release of the search engine was motivated in part by a recent 
announcement by Websense Security Labs, of San Diego-based Websense, that 
it was using the freely available Google SOAP (Simple Object Access 
Protocol) Search API to find dangerous .exe files sitting on Web servers.

In an interview with eWEEK, Moore said he worked with researchers at the 
Offensive Computing project to create the code after learning that 
Websense was only sharing its research on private security mailing lists.

"My Web interface will identify specific malware without the Google API. 
It directly searches Google using fingerprints from executables that we 
already have," he said.

Moore's project uses code strings, or fingerprints in malware samples, 
then runs a search on Google for those characteristics.

The search engine has been programmed with about 300 malware signatures 
and Moore said he plans to add another 6,000 signatures in a future bug 
fix update.

Moore, who works as director of security research at BreakingPoint 
Systems, based in Austin, Texas, said he was surprised to find that the 
number of executables indexed by Google was much less than the figures 
thrown out by Websense.

"I managed to get a copy of the Websense code this morning and the code 
itself is useless. There are no signatures. There's no way to identify 
malware using their tool unless you know what the malware is," Moore said.

He said Websense's claim that it was finding malicious code executables on 
thousands of Web sites could not be verified. "We're actually looking for 
known executables and we're not finding anything close to those numbers. 
The reality is that Google doesn't index that much malware. Not even 
close," Moore said.

In a July 10 interview with eWEEK, Dan Hubbard, senior director of 
security and technology research at Websense, said his company was finding 
thousands of hacker forums, newsgroups and mailing list archives hosting 
malware executables. "While we do not believe that the fact that Google is 
indexing binary file contents is a large threat, this is further evidence 
of a rise in Web sites being used as a method of storing and distributing 
malicious code," Hubbard said.

In Moore's malware search engine, a query for the virulent Bagle worm 
returned 20 results, most from list archives hosting what appear to be 
screensaver files.

The engine, which uses fonts, colors and a logo that resembles Google's, 
will also provide results for simple keywords like "email," "trojan" or 
"keylogger."

Moore said he does not plan to spend too much time on the project unless 
Google starts indexing more malware samples. He has released the code for 
a malware signature generator, a malware Google API signature search and a 
malware downloader, and expects others to build on his work, he said.

Websense's Hubbard said he was surprised by Moore's claim that the company 
was not sharing its information. "As per our original statements we have 
shared this information with hundreds of researchers around the world and 
have posted it into several mailing lists. We have also received gratitude 
from several researchers for creating a useful tool to assist in the war 
against malicious code," Hubbard said in an e-mail exchange July 17.


_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jul 17 2006 - 22:52:57 PDT