There have been a few blogs out there on the subject of Google indexing not only PDFs and Docs, but executable files as well. A simple query for “Signature: 00004550” results in 192,000 (if Google’s count is accurate) links to executable files. The reason this search works is because when Google indexes the executable file, it parses the Portabe Executable (PE) file format of the windows executable. One of the things that is extracted from the PE file is the signature “4550″, the NT signature, present in all valid win32 PE files. if you look at the cache, you’ll see something like this:
32bit for Windows 95 and Windows NT
Technical File Information:
Image File Header
Machine: Intel 386
Number of Sections: 0003
Time Date Stamp: 3b7dc821
Symbols Pointer: 00000000
You can even many find innocent-looking sites that redirect to EXE files with spyware.
What’s interesting is that the results have addresses that make you think there’s nothing wrong with them (like for instance : http://www.crcdatatech.com/help/), they don’t have an EXE extension and when you go to the site you’re prompted to download the file. And if you click “run” instead of “save” or “cancel”, ahh, be prepare for the worst.
HDM (Metasploit) went on his own and developed a Malware search engine and he’s generous enough to release the code as well. You just have to type the name of a virus and you can find the queries that produce malware as search results. Some examples: MyDoom, Klez, BadTrans and other worms and trojans. He used some very well written Ruby scripts and Google API to search for almost 300 malware signatures. More info on his tool can be found here.
Blogged with Flock