HD Moore, the lead developer for the Metasploit Framework open-source exploit project, created a tool and posted code that shows how to use Google to look for specific data strings -- which Moore dubbed "fingerprints" -- within code already defined as malicious.
He worked with others, including researchers at the Offensive Computing project -- who gave him access to their malware database -- to create the code, which includes a malware signature generator, a malware Google API signature search application, and a malware downloader.
Last week, San Diego-based Websense noted that Google indexes binary files, in particular some Windows executables, and in general terms described how it created a toolset that used the search engine's API to automate detection of malware and malicious code-infected sites on the Internet.
In a July 10 interview, Dan Hubbard, Websense's senior director of security, said the company would share the search tools only with a select group of researchers. Moore was obviously not among them; in the notes he posted Monday he credited "Websense for refusing to share code."
Tuesday, Moore disputed Websense's earlier findings that it had found more than 2,000 sites hosting malware. "I was expecting better results than what I found," he said. "In the four gigs of executables I downloaded, I didn't find that much [malicious code]." Of the 2,400 sample executables he looked at, he found only 127 that contained malware.
Websense's Hubbard countered that Moore wasn't finding all there was on the Web because his signature sample was small. "One very simple way to expand the results is to not look for malware, but to look for attributes of malicious code," said Hubbard. "Rather than looking for strings within Bagle or MyDoom, look for the evidence of packers in executables."
Moore and Hubbard also disagreed on the danger of publicly releasing a Google-based malware search tool, with the latter holding to Websense's earlier position of keeping its findings within the security community by distributing them only on private mailing lists.
"I think full disclosure of vulnerabilities is different than full disclosure of ways to find malicious code," said Hubbard. "There's a reason why these [mailing] lists are vetted."
While that "irked" Moore, what was more important was that searching Google for malware was not a new code resource for hackers. "They have much more up-to-date archives" of malicious code to use than Google's results, he said.
But while Hubbard complimented Moore's work -- "He's done a good job and provided a good little tool," he said Tuesday -- Moore called Websense's code useless.
"I was simply floored by their code," said Moore, who obtained a copy of the Websense code days after he said he built his own tool. "There's nothing to it. All they did was add some comments at the top of the Google API, and that was really all there was to it."
Moore's search tool, which mimics the minimalist look of Google, can be found here.