Tuesday, January 16, 2007

malware doesn't hide in search results

the article Malware Now Hides in Search Results has got to have one of the most misleading titles i've seen in a long time...

maybe it's just me but when i saw that i was thinking maybe some clever malware purveyor was gaming search engines to get his/her wares installed on victims' computers - maybe some novel exploit or social engineering trick...

instead its about how there's nothing in the search results... when you use a search engine to search for information on a piece of suspected malware by filename you often won't find anything... yeah, not exactly news to anyone whose been down in the trenches helping people get rid of malware anytime in the last decade or more - i suppose i should have said something sooner so that you wouldn't waste valuable moments of your life reading the article...

but apparently this is something prevx has discovered by analyzing 250,000 filenames... malware is increasingly using deceptive naming tactics - which is true when you consider that virtually all malware uses deceptive naming tactics (when was the last time you encountered properly labeled malware in the wild?) and the set of all malware is increasing in number... supposedly even expert users will find it next to impossible to get malware information this way - though i should hope expert users would already realize how incredibly useless filenames are for identifying malware (or anything else for that matter) what with that expertise including the ability to rename files to anything they choose...

filenames have never been sufficient to identify (and therefore get further information on) a suspected malware sample... what's snowwhite.exe in today's email could be rootkitrevealer.exe in tomorrow's email... that's why known-malware scanners look inside the file instead of just at the filename, and then users use the malware name given by the scanner to look up additional information... the best you can hope for with search results is to use them in a process of elimination sort of way - narrowing down the field of probable suspects by eliminating those which search results suggest are known good files (and then hope that the malware hasn't replaced a legitimate file with itself or actually infected a legitimate file)...

prevx and techworld/cso magazine, in a brilliant portrayal of captain obvious, have essentially just informed masses that you can't judge a book by it's cover...

1 comments:

cdman83 said...

The basic problem of the article is that it confuses two things: stuff you find with the search engine and the name of the downloaded files.

As you correctly state, search engines do not return direct links to executables. They return links to web pages. These web pages are manually (or semi-automatically) crafted and can by no means be characterized as "self propagating" (which is the essence of a virus/worm).

One place where random / misleading file names can be often encountered in the sense this article is talking about are the file sharing networks (Kaazaa, Gnutella, eDonkey) where you can find many bots which respond to any query with a (malicious!) executable file the name of which is obviously generated from the query.