Virus Trackers Find Malware With Google 113
Casper the Angry Ghost writes "Malware hunters have figured out a way to use the freely available Google SOAP Search API, as well as WDSL, to find dangerous .exe files sitting on thousands of Web servers around the world. Queries can be written to examine the internals of web-accessible binaries, thus allowing the hunters to identify malicious code from across the internet." From the article: "We're finding literally thousands of sites with malicious code executables. From hacker forums, newsgroups to mailing list archives, they're all full of executables that Google is indexing. About 15 percent of the results came back from legitimate Web sites hijacked by malicious hackers and seeded with executables."
do no evil, rat out evil (Score:5, Interesting)
This raises Google's "no evil" equity significantly. Any mechanism to sniff out, identify, and hopefully proactively take measure to protect against the evil that is the web and its sinister demographic is a good thing.
So, Google takes the "do no evil" a step further and calls evil out.
There is a quote from the article I don't quite understand,
Is there some potential badness that Google is indexing binary file content? What might that be?
Re:do no evil, rat out evil (Score:5, Interesting)
In any case, the only thing I can figure about the quote is that Google indexing these sites helps to spread the malware around. Somebody could type in "l337 hax0rs hax" and end up at a malware site.
Re:do no evil, rat out evil (Score:4, Insightful)
Only if you're looking for it in the first place (like if your a hacker). It doesn't affect Joe-Average.
Re:do no evil, rat out evil (Score:1)
I really have no idea why this was included in the article at all.
Re:do no evil, rat out evil (Score:3, Funny)
I really have no idea why this was included in the article at all.
For 'balance'. Duuuuhhh!
Re:do no evil, rat out evil (Score:2)
Re:do no evil, rat out evil (Score:2)
On the evil side, google could just make it easier for people to gain access to malware. I think its probably g
Re:do no evil, rat out evil (Score:1)
Re:do no evil, rat out evil (Score:2)
Somebody could type in "l337 hax0rs hax" and end up at a malware site.
Surely if that is the query then they *want* to end up at a malware site?
(O.K. Feel free to follow up with the "whoosh" comments now).
Re:do no evil, rat out evil (Score:3, Funny)
You know, in Alaska, they have a joke about how one is goes about hunting Polar Bears.... 'just go out there, they will find you.'
Re:do no evil, rat out evil (Score:2, Funny)
http://www.google.com/search?q=l337+hax0rs+hax [google.com]
... what Flash really is, or is 75% of all companies of THE WORLD, hax0rs? ...
... I'm no Hacker
too right, some of the results are humorous
(2nd page)
Is Your Son a Computer Hacker - Comments - Page 1
sooo in other words... i must be a "l337" hacker because as a magic 8ball says
www.adequacy.org/stories/hacker.comments.page.1.ht ml - 887k - Cached - Similar pages
N074H4x0r
The B3atles Were Hax0rs.
Re:do no evil, rat out evil (Score:2, Insightful)
Re:do no evil, rat out evil (Score:2)
Re:do no evil, rat out evil (Score:1)
Re:do no evil, rat out evil (Score:5, Insightful)
The computer industry does have a nasty history of "shooting the messenger" when malware is reported. People really don't want to know that their machine has been compromised, especially if it implies lax security on their part. They routinely react by firing or prosecuting the people who do anything to pinpoint security problems like this. We can expect to read stories of threats against people who use this Google feature to find security problems.
The obvious explanation here is the old "stupidity rather than malice" saying. But this might not always be true. When someone in authority attempts to punish someone for exposing a security problem, you should probably assume that they understand what they're doing and have a motive for their action. It's likely that some of those with the authority to punish messengers are doing so because they don't want the problems exposed, for reasons of personal (or institutional) profit.
Indexing these MAY be exploitable (Score:5, Interesting)
The idea is to put up useful content into the web site, along with the exploit. Google will index, and when the target searches google, the code will be injected into the search results.
Of course, this needs hacking; both trying to figure out what google will allow in the content section, and to find a browser exploit that can be exploited.
Just sayin...
Your point of trust (as the target) is your browser. Which means ONLY open source browsers should be used. Those, at least, are controllable as to the exposure and behaviour when being delivered content.
Ratboy
Re:Indexing these MAY be exploitable (Score:2)
Ratboy, you not making sense with this: Your point of trust (as the target) is your browser. Which means ONLY open source browsers should be used. Those, at least, are controllable as to the exposure and behaviour when being delivered content.
Most users who are 1) not programmers or 2) are programmers but have no familiarity with a particular browser source tree, don't have any more control over how content is handled by the browser with the exception of usi
Re:Indexing these MAY be exploitable (Score:3)
Ratboy.
Re:Indexing these MAY be exploitable (Score:1)
Re:do no evil, rat out evil (Score:2)
Re:do no evil, rat out evil (Score:5, Insightful)
So, Google takes the "do no evil" a step further and calls evil out.
Drop the stupid melodrama. Google is a mechanism for searching for strings of bytes inside other strings of bytes, and prioritizing the results according to certain algorithms. "Calling evil out?" You're insane. I suppose the ANSI C function strstr() is also a Wielder Of The Sword Of Righteousness?
Is there some potential badness that Google is indexing binary file content? What might that be?
How about the RIAA using it to locate caches of MP3 files? It's plausible that a person might have personal backups of their music collection (or *shock* music they purchased on iTunes) and accidentally have those files on a public web server. (Or they could be pirates -- the point is, the technology is not "good" nor is it "evil").
Re:do no evil, rat out evil (Score:1)
I can't imagine how somebody would accidentally upload their music collection to a public web server.
Re:do no evil, rat out evil (Score:2)
You mean like hundreds of people do every day?
Having the files on a publically accessable directory? Maybe. On one you can browse over port 80? That seems kinda unlikely.
And
Re:do no evil, rat out evil (Score:2)
you're kind of an asshole
Thanks. I try to keep my uncivilized behavior limited to Slashdot.
I'm feeling lucky (Score:1)
But as I understood it, the binary search is not available in the common search (only through APIs), so I guess this isn't really a problem. And if it were, Google could disable automatic redirection to executables.
Re:do no evil, rat out evil (Score:1)
SOAP? (Score:5, Funny)
Re:SOAP? (Score:1)
generate enough revenue to pay for itself.
(at least I hope not... God help us all if it does)
Re:SOAP? (Score:1)
Re:SOAP? - remake of FER-DE-LANCE (1974) :) (Score:2)
http://www.imdb.com/title/tt0071494/ [imdb.com]
'Snakes On A Sub'
PS: I much prefer 'Airport (1)', and 'Air Force One' as being the best of the 'airplane thrillers'.
Airport - http://www.imdb.com/title/tt0065377/ [imdb.com]
Air Force One - http://www.imdb.com/title/tt0118571/ [imdb.com]
Snakes on a Plane - http://www.imdb.com/title/tt0417148/ [imdb.com]
Re:SOAP? (Score:1, Funny)
Enough is enough! I've had it with this motherfucking malware on this motherfucking Google!
Correction (Score:5, Informative)
Re:Correction (Score:2)
Re:Correction (Score:2)
What Are They Taking About (Score:2, Funny)
Re:What Are They Taking About (Score:1, Funny)
$ whatis
they're just like .com files (Score:4, Funny)
So wait... (Score:3, Funny)
MY DAY HAS COME!!! MNMUAUAUAU!
EXECUTE? [Y/N] _
Re:So wait... (Score:2)
_
gg no rm
Y! (Score:2)
Re:Y! (Score:2)
Little did you know (Score:4, Funny)
Little did you know, even
Re:Little did you know (Score:2)
Because I'm pretty sure all three are unlikely, but potentially humorous.
Re:Little did you know (Score:5, Funny)
Re:Little did you know (Score:2)
Re:Little did you know (Score:2)
SiteAdvisor (Score:2, Insightful)
Re:SiteAdvisor (Score:1)
Web Site Contact (Score:3, Interesting)
They could also build a list of these sites to periodically check them to make sure the malware files have been removed.
And it would be nice if they allowed a search facility so some FireFox/SeaMonkey plugin could check to see if that site you are going to has malware installed.
Re:Web Site Contact (Score:3, Insightful)
Much better to just add the site to your personal list of things to avoid, and then forget about it.
Re:Web Site Contact (Score:3, Interesting)
Which doesn't help the rest of us. And why should a site owner get all bent out of shape if you tell them something they didn't happen to know? They must not be in direct control of the site or are
Re:Web Site Contact (Score:4, Interesting)
Or maybe a system to allow automatic DNS cache injection (on my own DNS client) to prevent lookups going to the correct (infected) site.
Once sites realize that big parts of user base is cutting them off premptively, they'll take notice and get rid of the crap so they can get users back.
Re:Web Site Contact (Score:1)
Re:Web Site Contact (Score:2, Interesting)
Re:Web Site Contact (Score:1)
Given the fact that websense sells a product to block users visiting different websites, I believe they will use the data for their products database.
This has... (Score:2, Funny)
Securing the Search Engine? (Score:5, Interesting)
The 15% of sites that are reputable sites being attacked are the biggest threat. These are probably websites people visit often, and people should be warned. Perhaps even web browsers such as firefox and i.e. could incorporate the API into a toolbar and warn users before a dangerous site loads.
My only question is how long does it take for the API to verify the potential threat of a webserver? Is it fast enough for these applications to be feasible? No one wants to wait for their websites to load.
Re:Securing the Search Engine? (Score:4, Insightful)
I mean, Joe Average, assuming we get him to eventually worry about malware, might look at the SOAP thing, not see a warning, and assume that means it's a safe site (which may or may not be true). Then he'll get nailed, thinking other precautions are unnecessary.
Re:Securing the Search Engine? (Score:3, Insightful)
Re:Securing the Search Engine? (Score:2)
How to (Score:5, Interesting)
Then, click View HTML
Re:How to (Score:2)
Re:How to (Score:2)
Well, for example, one might search for the binary string BAD403B80001EF, which would find you i386 video driver code, specifically a subset of that which is for older PIO-based cards with an additional nonstandard CRTC register at index 0x100.
Specific enough?
Re:How to (Score:2)
Re:How to (Score:3, Informative)
Re:How to (Score:2, Informative)
Re:How to (Score:2)
Re:How to (Score:1)
Re:How to (Score:2)
Just be careful when clicking the search links... (Score:5, Funny)
Re:Just be careful when clicking the search links. (Score:1)
Oh, wait, I just got a new MacBook/Parallels/WinXP. Dammit!!
Well, malware *writers* can do the same (Score:3, Interesting)
Erh... nope (Score:2)
Wait a second... (Score:2)
Re:Wait a second... (Score:2)
Um, so that Windows users can download them, maybe?
Just a guess
Re:Wait a second... (Score:1)
Well, technically... (Score:2)
But legit sites have URLs with exe? (Score:1)
Random example: https://www.thawte.com/cgi/server/status.exe [thawte.com]
Re:But legit sites have URLs with exe? (Score:2, Informative)
Hmmmm.... (Score:3, Funny)
Cdr. Data
Is there a way to check a specific site? (Score:1)
I have a few friends that run small sites and would like to check.
-flipsoft
Re:Is there a way to check a specific site? (Score:1)
ROTFL (Score:2)
So... (Score:1)
Re:So... (Score:2, Informative)
Its about time (Score:1)
Roll Your Own Google API Searches (Score:2, Insightful)