Google does AV (and Tatooine tennis)

Greetings, Earthling. Take me to your IT Blogwatch, in which Google turns anti-virus scanner. Not to mention Tatooine tennis (filmed entirely on location)...

Google search helps Websense dig up malware, reports Robert McMillan:

A little-known capability in Google Inc.'s search engine has helped security vendor Websense uncover thousands of malicious Web sites as well as several legitimate sites that have been hacked [...] By taking advantage Google's binary search capability, Websense has created new software tools that can sniff out malware using the popular search engine. Websense researchers Googled for strings that were used in known malware like the Bagel and Mytob worms and have uncovered about 2,000 malicious Web sites over the past month [...] Though Google is widely used to search the Internet for Web pages and office documents, the search engine can also peek through the binary information stored in the normally unreadable executable (.exe) files [...] The most interesting thing about Google's binary search capability is not its security implications [...] but the fact that it shows that Google may be thinking about becoming a file searching service.

See this, search for "Signature: 00004550" and you'll see about 200,000 results of executable files being indexed. This is possible because a link to a normal website was redirected automatically to an executable file (probably from apache), as you can see for skype where the page www.skype.com/go/getskype appears in the first position and if you click Skype will start downloading automatically. You also have the choice of clicking the View as HTML link and just as with other formats, the file information is displayed [...] this is a security risk, even a high one. Because sites full of spyware might use this redirect bug to have spyware executables indexed and when the user will click it automatically installing all the malware in the world [...] So if a normal user searches to install a clean program it's possible to accidentally end up installing some spyware.

it's like an antivirus scanner for the whole Internet. Websense says it doesn't plan to release its code, for fear of making things easy -- well, even easier -- for script kiddies. But anyone who can figure out Google binary search and has (or can acquire) a database of malware signatures can probably do the same thing. At that point, does the game change for Internet security? For example, if your IT shop could subscribe to a service that continuously updates your firewall with a list of evil websites to blacklist in real time, wouldn't that be more attractive than never-often-enough updates of virus signatures? But, gee -- who would be able to continuously hammer on the Google databases to keep such a service up to date?

Google has a habit of indexing everything (which is not necessarily a bad thing), except if the file is an EXE and it contains spyware [...] What's interesting is that the results have addresses that make you think there's nothing wrong with them (like crcdatatech.com/help), they don't have an EXE extension and when you go to the site you're prompted to download the file. And if you click "run" instead of "save" or "cancel", prepare for the worst. I think Google should remove all dangerous files from their index (EXE, MSI, COM, REG) and that should be an easy task, as they have a very similar pattern.

Very cool. Nope, I didn’t know about this binary search capability. There are plans to share the tools with security researchers, but they don’t plan to make the code public … there is the chance (and I can see this), as the article says, that these tools could be used to search for malware to download and use rather than “buying them on the black market”.

[Google] may be prepping for a new software search engine. Software search engines and repositories aren’t new, but having the ability to easily search for useful software code from any binary that Google has spidered and indexed would be both massive and new. I also see a few other places where Google’s binary search might be used [...] The ability to search binaries seems like an excellent tool to search for code that’s been illegally copied and used in software. I could easily see a company like Copyscape integrating Google’s binary search into their copyright search engine and alert service. It also seems like a perfect fit since Copyscape and Google already have a working relationship [...] I can’t help but ponder the possible SEO implications that binary search might have. Here’s my list of wild guesses on how it might be used (and abused) depending on how Google integrates it into their overall search engine algorithm:

• Creating and linking to dummy binaries that are stuffed with keywords. Thus improving SERPs and falsely driving traffic to websites.
• Similar to the first idea, recompiling legitimate software to include meta information (title, description, keywords) that Google can read. I sense a new standard approaching.
• If providing binaries does have a positive impact on SERPs, expect to see a rush to create or distribute applications. Similar to free article websites like ArticleCity.com, we could see the proliferation of free software websites that go way beyond traditional software distribution sites like VersionTracker and Download.com.

you'd have to be stupid enough to download the exe, then when IE tells you that the exe could contain viruses (i assume FF does this too) you would have to ignore the warning and run it anyways. So yeah you're right that most people on the internet should be on the lookout. (ie they are stupid enough to do the above)

    Around the Net

• Slashdot: What's In Your Inbox?
• Ferris Research: Unified Communications Breaks Social Norms for Contact
• Robin Harris: Massive Storage In Our Brave New World
• Brian Krebs: Macromedia Flash Update Prompts an SF Rant
• Patently-O: The Marking Statute of § 287(a) Requires Internet Vendors of Downloadable Patented Software To Mark Their Websites
• Frank Scavo: IT budgets as percent of revenue at highest level since 1997
• Ben Rockwood: Life Sucks: Why Organization Matters
• Nicholas Carr: Bad acid
• John Blossom: Homes to Go Client-Server: Will Content Vendors Follow?
• Donna Bogatin: Google CEO on click fraud: 'let it happen' is perfect economic solution
• David A Chappell: Standalone home monitoring devices
• Mohammad Ashraful Alam: Scenario Analysis + Prototype = [Any Alternative??]
• Fred Sherman: Gentoo Linux on Power
• Chris Anderson: On media elitism and the "derivative" myth