• Googling Malware Makes Sense

    by  • December 22, 2011 • Uncategorized

    A couple weeks ago I submitted a sitemap containing thousands of PDF X-RAY report URLs to Google Webmaster tools. The thought behind this was that Google would index the decoded, decrypted PDF content of malicious files, so that I could search on them later. Report pages within PDF X-RAY contain all data about the document on a single page making them easy to index. 

    Just to get an idea of what I am talking about, here are a couple interesting searches showing a range of PDF malware.

    site:pdfxray.com “/Subtype /U3D”

    site:pdfxray.com “media.newPlayer”

    site:pdfxray.com “/flash”

    site:pdfxray.com “/JS” “/Javascript”

    site:pdfxray.com “getIcon”

    The results from the queries above vary, but they show a decent amount of malware and help those attempting to identify new attacks being used. The best example of this is the first search for the /U3D subtype where I can add on “pwning u3d” and identify three files that share the same traits. Having this ability is extremely valuable and best of all it’s free.

    As time progresses I see Google becoming as popular for malware identification as it is for finding vulnerable servers/configurations, but for that to truly happen it requires attention from those with malware information. If you have the ability to share your malicious data with the public, consider formatting it in such a way so that Google can index it. Doing so adds yet another tool to the incident responders toolkit.