Google Search for Malware and Viruses

malware_search.jpg
There was an article I found in my surfing time about viruses, from PcWorld, Google Binary Search help Identify Malware. Google have a little-known capability to search binaries, that will be useful to search malware and virus binaries across the internet. This google hacks have been implemented by metasploit research team, to provide a good interface and signature database of viruses and malwares. The malware search interface is accessible at http://www.metasploit.com/research/misc/mwsearch/.

In the project information, there are description on how it works, and they also provides ruby script to generate signatures, search for binaries from the signatures and also to download them, basically just wget it.

The installation I did on Fedora works just smooth, installed ruby 1.8.6, ruby-google and also soap4r. ruby-google connects to Google API using SOAP, therefore I have to install Soap4r first, then ruby-google.

This is a sample of 1 virus found, Message.pif (Worm.Bagle.N-1)
this is the clamscan result:

Message.pif: Worm.Bagle.N-1 FOUND

———– SCAN SUMMARY ———–
Known viruses: 152764
Engine version: 0.91.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Time: 2.592 sec (0 m 2 s)

This is the sample usage of the ruby scripts:

$ ./mwsig.rb Message.pif
4053c6c2:00010000:0000e5b0:00005000
$ ./mwsearch.rb 4053c6c2:00010000:0000e5b0:00005000
1 http://archives.neohapsis.com/archives/fulldisclosure/2004-04/att-0795/Message.pif
# ./mwdownload.rb bin to_download
–09:17:57– http://archives.neohapsis.com/archives/fulldisclosure/2004-04/att-0795/Message.pif
=> `bin/0.bin’
Resolving archives.neohapsis.com… 72.32.12.210
Connecting to archives.neohapsis.com|72.32.12.210|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 21,871 (21K) [text/plain]

100%[=================================================================================================================>] 21,871 21.57K/s

09:17:59 (21.55 KB/s) – `bin/0.bin’ saved [21871/21871]

This is the sample search in google.com. It have 4 main information to search for:
1: Virus/malware name
2: Time & date stamp
3: Size of Image
4: Entry Point
5: Size of code

All of these information are basically the last 4 segment in the signatures, created by mwsig.rb

One thought on “Google Search for Malware and Viruses

  1. nice information there, so farhan how do we block those adware and malware ? my pc getting slow now, tons of them here…btw nice blog u have here

Leave a Reply

Your email address will not be published. Required fields are marked *