Open Source Malware Search Engine

chr0.ot writes "Metasploit creator HD Moore has released an open-source search engine that finds live malware samples through Google queries. From the article: 'The new Malware Search project provides a Web interface that allows anyone to enter the name of a known virus or Trojan and find Google results for Web sites hosting malicious executables.' The tool then searches for actual malware signatures and uses the signature output from ClamAV to find the name of the malware. This is then used in conjunction with a PE signature matching method to form a Google query. Afterwards the malware can then be downloaded directly from Google."

So..

[michaelhood]

Let me get this straight.. now Google is good for porn AND viruses?

How do the other engines stay in business?!?

Re:So..

[DaHat]

I knew they were evil.

Re:So..

[poolmeister]

Well they have the domain allevil.org [allevil.org] as an alternative to their native URL.

Re:So..

[Anonymous Coward]

..now Google is good for porn AND viruses?

So, basically, the Internet is exactly like real sex now, only easier to get.

Re:So..

[cp.tar]

Dunno... I still have to pay for the Internet connection.

Re:So..

[jb.hl.com]

Yeah...you plug in, and 20 minutes later you're infected.

Re:So..

[Intron]

Yes. Google is good for viruses [symantec.com]. I guess it works both ways.

Finding malware with search engine?

[broothal]

I wonder how they got that idea [slashdot.org]. I've never heard of it before [slashdot.org].

Re:Finding malware with search engine?

[The Ultimate Fartkno]

I bet the editor of this story lives in Belleville. /obscure?

Re:Finding malware with search engine?

[Anonymous Coward]

Netsense search isn't open source, as is pointed out in the article.

Also, this program supposedly highlights how relatively little malware Google actually indexes, contrary to the two earlier articles you cite. Thus this is an additional development, not a dupe.

Re:Finding malware with search engine?

[HTH NE1]

Then shouldn't those other articles be linked as related articles?

Re:Finding malware with search engine?

[kkuehl]

HD acknowledges that is where he got the idea. The point of his release is that it is opensource and available to anyone, unlike the websense version.

Re:Finding malware with search engine?

[Anonymous Coward]

I wonder if there's any way to use Google to find dup... triplicates.

Microsoft Version!

[LiquidCoooled]

Clippy:
It looks like your searching for viruses,
well your in the right place.

ps, anyone else notice that slashdot is like waiting for a bus, you wait for hours with no updates then 4 come along all at once.
Hope the problems have been fixed now.

About the bus metaphor

[Anonymous Coward]

you wait for hours with no updates then 4 come along all at once

Only if you mean the same one comes along four times.

Re:Microsoft Version!

[walruz]

ps, anyone else notice that slashdot is like waiting for a bus, you wait for hours with no updates then 4 come along all at once. You must be new around here!

Re:Microsoft Version!

[mingot]

Even a dumb ass like clippy knows the difference between "your" and "you're".

Re:Since we're off on a tangent anyway

[rufty_tufty]

As a silent grammar nazi myself I found it difficult to read the origonal post - my brain associates your and you're with different concepts.
I've got in the habit now when reading slashdot of if I can't understand a post, reading it as if i was speaking it (but silently of course).

I just can't read as fast when I have to do that.

Re:Since we're off on a tangent anyway

[Filip22012005]

I've got in the habit now when reading slashdot of if I can't understand a post, reading it as if i was speaking it (but silently of course).

I'm trying to read this sentence as if you were speaking it. And you sound sort of silly.

Re:Since we're off on a tangent anyway

[rufty_tufty]

Wow! The Lancastrian accent makes it over text - Cool!

Re:Since we're off on a tangent anyway

[rowama]

I've got in the habit now when reading slashdot of if I can't understand a post, reading it as if i was speaking it.

Didja read or speak this before posting? Improper verb usage, mangled propositional phrase, missing punctuation.

FTR, I'm not a grammar nazi, but you, by claiming such, opened you'reself up for a little good-natured criticism.

Regards.

Re:Since we're off on a tangent anyway

[rufty_tufty]

Good Point!
That's the reason I'm a silent Grammar Nazi - my particular dialect means I mess up many othe things - I'm just saying that some incorrect grammar usage make me cringe.
I always welcome advice on how I could improve my communication provided people tell me why I've gone wrong, rather than just saying I am wrong.

Re:Since we're off on a tangent anyway

[rowama]

Your being too kind.

Since I don't normally like to engage in the karma-damaging activity of trolling, I was hoping to get some bang-for-the-buck out of my post. Thus, I left two juicy pieces of bait (i.e., grammatical errors) in my post, and promptly started meta-moderating my heart out to counter the impending down-mod.

BTW, "my particular dialect" must mean english is an auxiliary language for you. Kudos on that and never apologize for the occasional mess-up. I am not among those who are multilingual, s

Re:Since we're off on a tangent anyway

[mooingyak]

Your being too kind.

Usually it's not worth the effort, but given this thread I just had too...

That should be:

You're being too kind.

Re:Since we're off on a tangent anyway

[thc69]

I just had too...

You just had what?

Re:Since we're off on a tangent anyway

[mooingyak]

I clicked submit, and then spotted that right away. I wish I could claim I did it on purpose, but I guess it's just that rule about grammar/spelling corrections having a goof of their own.

But pretending I'm all knowing and stuff and that I make no mistakes:

Just replace the ellipsis with "much beer"

Re:Since we're off on a tangent anyway

[rowama]

Hehe. Thx for the bite. Yes Virginia, persistence does pay;-)

Re:Since we're off on a tangent anyway

[rufty_tufty]

Tired of the karma burn, but what the hell!
"BTW, "my particular dialect" must mean english is an auxiliary language for you"
ROTFL
I am actually English as far back as we can trace the geneaology. Just from the north of England mixed with some Cornwall, combined with Mancunian with some Essex and London thrown in; so my upbringing WRT language is not the same as the Queen's English. hence correct grammar for my peers is not the same as the textbook definition. I still support correct usage of your/you're thei

Re:Since we're off on a tangent anyway

[aminorex]

> "my particular dialect"

There is a word for a language as used by a specific individual
speaker, and that word is "idiolect". Wars are fought because
particularly stupid people cannot accept the inescapable fact
that words *intend* (meaning 1) precisely what their speaker intends,
and regardless of what they *convey* (meaning 2) in the interpretation
of a listener or *connote* (meaning 3) in the instantaneous context
of the present evolutionary state of the dialect, which is in turn
distinct from the canonical

Re:Since we're off on a tangent anyway

[dhollist]

Isn't a propositional phrase something like, "will you marry me?"

Propositional Phrase

[sirrobert]

Bon mot. =)

You win!

[rowama]

Yep, it is. Congrats, you win the prize: a PS3 running Vista. This offer expires in 30 days.

Re:Since we're off on a tangent anyway

[mingot]

The your/you're thing is a pet peeve of mine. The extra vitrol was just revenge for the poster subjecting me to yet another "OMPG CLIPPLY LOLLZORS M$ SUCKS" post.

SO, how did your reply to me make YOU feel?

Re:Microsoft Version!

[avirrey]

Hit the refresh button. Comes with every browser on all OS's, and it won't download malware automatically.

Re:Microsoft Version!

[RealGrouchy]

ps, anyone else notice that slashdot is like waiting for a bus, you wait for hours with no updates then 4 come along all at once.

Just be thankful that you're not a subscriber. Then they'd all come early, and you'd miss them!

- RG>

Re:Microsoft Version!

[LiquidCoooled]

how do you know I'm not a subscriber?

I usually get to see them coming in the mysterious future and occasionally your right, just before they arrive at my bus stop, they turn off and vanish again.
The frustrating part is it normally only happens with the articles I really want to post something in.

First it was a dupe...

[BumpyCarrot]

Now it's a tripe.

Re:First it was a dupe...

[Tx]

Aha, I was wondering what the proper word for a dupe-de-dupe was!

Re:First it was a dupe...

[Sepper]

For thoses who aren't native english speakers (I am not, btw)
since:
2 == Duplicate [answers.com] (Dupe!)
3 == triplicate [answers.com] (Tripe)
4 == Quadraplicate [answers.com] (Quad!)
X == Make-up-your-own-plicate (Enough Already!)

Re:First it was a dupe...

[gatzke]

And I get modded offtopic? The freaking story was posted three times, I think that is relevant.

Is there more original ontopic stuff to say about a story we have seen THREE TIMES?

Re:First it was a dupe...

[Ash Vince]

Actually, no it isnt. Although morons who dont read the full article might thinks it was.

The previous stories

(http://it.slashdot.org/article.pl?sid=06/07/15/12 53240 and http://it.slashdot.org/article.pl?sid=06/07/11/131 220 [slashdot.org])

were referring to another security research co who did something similar and then refused to share it.
This story is about someone not liking that they wont share, going a little bit further than they did and then putting it on a website and enabling it to the full.

I looked at the previo

Headline can be misread as...

[phozz bare]

A search engine for open source malware?

-phozz

Can also be misread as...

[CaymanIslandCarpedie]

enignE hcraeS erawlaM ecruoS nepO

I wish google would incorporate this into searches

[transporter_ii]

I in no way think that google should block sites, but it would be nice if they would scan sites witht this -- especially for sites that install stuff through holes in IE -- and put a little icon on search results that return an infected site. That way you could at least have a heads up before you clicked on a search result about what you were getting into. It would also be great for Firefox, when everyone gets to see how many sites are exploiting IE.

Transporter_ii

Re:I wish google would incorporate this into searc

[lifgrd1979]

Sorry Google can't do it, McAfee already bought that startup - http://www.siteadvisor.com/ [siteadvisor.com].

Re:I wish google would incorporate this into searc

[KiloByte]

http://www.siteadvisor.com/

Holy crap. They list most of the worst offenders as "green" -- even crap like valueclick.com or lop.com.
I see that they fit into McAfee's quality pretty well.

Re:I wish google would incorporate this into searc

[westlake]

Holy crap. They list most of the worst offenders as "green"

McAfee's automated scans can't and won't red-flag a corporate home page simply because the company is on your personal black list. You might, however, take the time to post a comment.

Re:I wish google would incorporate this into searc

[BlindRobin]

Just thought you might like to know that this is broken at the moment.

McAfee SiteAdvisor

[westlake]

put a little icon on search results that return an infected site. That way you could at least have a heads up before you clicked on a search result about what you were getting into. It would also be great for Firefox, when everyone gets to see how many sites are exploiting IE.

Sounds rather like McAfee SiteAdvisor [siteadvisor.com] for IE and Firefox.

SiteAdvisor tests e-mail, downloads, and links. Give an e-mail address to Slashdot and you can expect 6.9 e-mails per week. Reports are detailed and comments can be posted.

Th

Move Quickly!

[jefu]

Good idea. Now you should Move Quickly and patent the idea.

(Unless McAfee has already done so since another poster notes they do something similar.)

So I am going to write a virus

[The Ape With No Name]

that snags a random payload off this site! Thanks Metasploit!

BTW, Dupe, Dupity Dupe, Dupe.

Re:So I am going to write a virus

[mysticgoat]

How can an article whose content says the earlier article was bogus be a dupe of the earlier article?

How can the initial announcement of a freely available tool be a dupe of the announcement of something that is not for public release?

Conclusion: there are a lot idjits on slashdot who have learned to waggle their fingers on the keyboard and therefore think they are clever. Oh so clever.

Slashdot has become the proving ground for kids who wanna grow up to be one of the million monkeys...

Re:So I am going to write a virus

[slowbad]

proving ground for kids who wanna grow up to be one of the million monkeys

This latest parlor trick will allow kids who can't write viruses to at least be able to collect them. Their very own petting zoo -- complete with some of the exotics -- and some new friends to play with!

Re:So I am going to write a virus

[mysticgoat]

Pshaw.

(Always wanted to say that. Wonder what it sounds like?)

You can buy anything online these days, including low number slashdot IDs, ibetcha.

And anyway I'm living proof that the mind of a toddler can exist in an aging, decrepit body.

Re:Ducking Fupes

[e4g4]

An offtopic reply to an offtopic post:

Personally, I'm rather tired of reading comment after comment pointing out that a given article is a dupe - I think the tagging system is sufficient to identify dupitude (hey, you're allowed to make up words in english). If the article's a dupe, don't read it, and by all means, don't comment - just ignore it like the articles that don't interest you.

Re:Ducking Fupes

[The_REAL_DZA]

Yeah, like that's the first time we've heard THAT statement made.

Thank God!

[skinnygmg]

I just bought a new PC, and i have no viruses yet.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Thank God!

[Anonymous Coward]

He's right. I just opened a shell on his machine, and ran a virus scanner. He's clean.

Re:Thank God!

[jimwelch]

Because he never connected it to the internet.
or
Because he never turned it on yet.
or
Because it runs Linux xyz/xyz BSD/...

Re:Thank God!

[pNutz]

I just bought a new PC, and i have no viruses yet.

How do you know?

How could [arstechnica.com] he know?

Microsoft Malware Remover says so!

[The MAZZTer]

Duh!

Re:Thank God!

[logikalentropy]

Does it have Windows on it? Windows is a virus you know. It just spreads and spreads, and breaks down your system.

I wonder...

[Anonymous Coward]

what MS has to say about this.
This is outright competition for their closed source malware search engine IE.

I use Windows

[Cro Magnon]

I don't need a search engine to find malware.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:I use Windows

[Opportunist]

That's right, Windows provides this service to you, free of extra charge, it's bundled into the system and can't be removed easily, despite some claims by other malware writers who claim they can't make business because of that!

Just click start - search...

and coming soon...

[trianglecat]

- the bag of snakes locator
- the shard of glass necktie finder
- the kick in the crotch searcher

Seriously, if this were part of your search results as a heads up of what to avoid I can see it being quite valuable. But, short of research or bad intentions... why do i want to find live malware?

Re:and coming soon...

[RingDev]

Imagine being an "IT Guy" for a non-tech company. You've been seeing some odd network behavior, so you fire up google and search your domain for malware. It quickly identifies that Jan in Accounting has a malwar port sniffer running trying to phone home. The combination of this system and using Google for internal searches could make Google a sudden major competitor in the anti-malwar campaign.

On the broaders scale, IHPs will be able to keep an eye on their customers to see if any servers are hosting malwar

I guess I don't understand

[airlynx]

I do this on a daily basis for my Windows laptop, I search through my running processes to find strange things, search them on Google, then cross-reference them from my browser history, then I interrogate my wife to find out why she visited some of the stupidest sites on the internet. That's about when I remember she's a MySpace user, and no matter what I do that laptop is screwed.

Re:I guess I don't understand

[McFly777]

Hey, some people enjoy that sort of thing (being interrogated, tortured, etc.). Please try to keep an open mind. ;-)

Re:I guess I don't understand

[doti]

I do this on a daily basis for my Windows laptop, I search through my running processes to find strange things, search them on Google

You really should try the excelent ProcessExplorer from SysInternals [sysinternals.com].

Re:I guess I don't understand

[CastrTroy]

Well, if it's your windows laptop, and she keeps on messing it up, maybe you shouldn't let her use it anymore. Tell her that until she learns how to use a computer without messing it up, that she isn't allowed to use it. Maybe it seems like something you'd tell a child, or you think that she won't love you anymore, it's probably the best solution.

Re:I guess I don't understand

[airlynx]

It's OUR laptop, given to US as a gift, which altogether means it's hers. I just stick to my Linux computer and put the headaches in to fix the laptop. If I don't feel like fixing the laptop, I don't.

Either way, I sort of enjoy the torture of fixing the thing, you learn a lot that way. That and I enjoy the interrogation bit, she comes up with some great excuses that I sometimes use later at my job.

Careful...Skynet...Matrix...DupeDot...

[The_REAL_DZA]

...The tool then searches for appropriate responses and posts a response to the new article on Slashdot proclaiming it to be a dupe...

Sounds like this thing's just a few modules short of obsoletizing us all; give this thing a "beowulf cluster" module and a "in Soviet Russia" module and it'd be pretty well self-contained. Any day now it'll be welcoming it's overlord self...

the other way around?

[luag]

"to enter the name of a known virus or Trojan and find Google results for Web sites hosting malicious executables" we should be able to do it the other way around too. enter the url for websites we suspect first then list if the websites host malicious executables. imo its more useful that way :)

What agreement?

[RagingFuryBlack]

So, oss malware? Is it free-as-in-beer or free-as-in-speech malware? Do I still need to accept an EULA to infect my friend's PCs or is it all GNU'D?

*sniff*

[Opportunist]

Do I smell an idea I should forward to marketing...?

Re:*sniff*

[funfail]

The idea was partly implemented by SiteAdvisor.com (now a part of McAfee).

Re:I'm feeling Lucky

[Barny]

Most "free" file shareing programs have had this implemented for a long long time ;)

AWRIGHT!! an OS infector! w00t!

[swschrad]

pray tell WTF difference is this from another virus kit? this dude's life is going to be a screaming hell when everybody tees off on him.

Re:AWRIGHT!! an OS infector! w00t!

[infosecpodcast]

pray tell WTF difference is this from another virus kit? this dude's life is going to be a screaming hell when everybody tees off on him.

Do you mean HD Moore? lol...he's a pretty well respected security researcher. I dont think there will be "that" many people teeing off on him.

--C

gcc, worm, trojan

[noamt]

1. It looks like there's a copy of "Worm.Bagle.Z" on GCC's server:
gcc.gnu.org / ml/gcc-prs/2004-05/msg00008 / the_message.scr
(don't open the URL from Windows, or at all. My AV detected the file as "W32.Beagle.gen", right after I downloaded it).

2. Search the engine for "worm" or "trojan" and you'll get tons of them.

Re:gcc, worm, trojan

[idonthack]

Doing a strings on it produces some Windows DLL names, function names like "InternetOpen", and a few fragments of strange text. file says it's a Windows executable. Weird... I wonder what it's doing on the gcc servers.

Re:gcc, worm, trojan

[tabrisnet]

That's obvious if you read the URI. It's a mailing-list archive, and it keeps copies of attachments.

No wrongdoing involved by GNU, tho perhaps they should delete that message.

what is the use case?

[mapkinase]

Is it like I am a webmaster and I am blocking visits from the blacklisted websites?

Obvious question

[grolschie]

Does it locate the Windows Genuine dis-Advantage malware?

Anti-Spyware

[simonscatt]

Many programms include spyware modules. Use anti-spyware for protect your privacy.
As for me, I like professional anti-spy software like PrivacyKeyboard by Raytown Corporation LLC.
You can download it here: http://download.softsecurity.com/1/14/prvkbd.zip [softsecurity.com] (~4MB)

Anti-Spyware: Efficiency of the Means of Defense [trap17.net]

Open Source AV

[jspencelee]

How long will it be before there is no such thing but and open source AV? There is just no way a closed source AV will be able to adapt as fast as the virus-sphere. especially when you read about these highly targeted Trojans coming from China and Russia. http://www.securityfocus.com/news/11222 [securityfocus.com] I have Clam AV on an Astaro box (linux based UTM) and I've always been pleased with the perfromance.