Mining for Malicious Code with Google

Date:07.10.2006

Threat Type: Informational Alert

There have been a few blogs from outside parties on the subject of Google's search engine indexing not only file types such as PDF and doc, but executable files as well. A Google query for "Signature: 00004550” will result in numerous links to executable files. The reason this search works is because when Google indexes the executable file, it parses the PE file format of the windows executable. One of the things that is extracted from the PE file is the signature "4550", the NT signature, present in all valid win32 PE files.

As an experiment, we searched Google with Google's own API to find malicious executables Google’s search engine had indexed. We queried not only for the NT signature, but also for unique identifiers within the PE file format that would allude that the file was potentially malicious.

Our results show that we were able to collect thousands of pieces of malicious binaries, mostly posted to newsgroups with false names that would normally trick a user, we found many on forum sites, as well as regular personal, educational, compromised, and underground sites. We also found several pieces of spyware on poker and casino sites. We found variants of the Bagel, and Mytob worms, various trojans, and many other malicious binaries.

While we do not believe that the fact that Google is indexing binary file contents is a large threat this is further evidence of rise in websites being used as an method of storing and distributing malicious code. It should also be noted that although this is also a useful tool for other security research experts to discover malicious code, the potential for malcode authors to use it is also there.

There is however the potential for malicious code authors to embed strings within their binaries that match search terms in order to dupe users into running malicious code. Of course without them actually exploiting a vulnerability the user would still have to accept the running of the code.

References:

Google indexing executable files:

http://homemade-tutorials.blogspot.com/2006/06/google-indexing-executable-files.html

Some Google Results Are EXE Files:

http://googlesystem.blogspot.com/2006/06/some-google-results-are-exe-files.html

Google indexes .exe files - possible threat:

http://digg.com/security/Google_indexes_.exe_files_-_possible_threat