Google Malware Search Engine And How It Works; Impact

H. D. Moore (hdm[at]metasploit.com) has devised a Ruby based search engine that finds malicious windows software (viruses, trojans etc.) using standard Google queries. The Malware search engine finds Web sites hosting malicious files after an user enters the name of a virus or Trojan horse.

Currently the signature database is small but still contains dangerous viruses and trojans.

How it works?
The search engine backend creates fingerprints of malware windows executables. The fingerprint contains time date stamp, image size, entry point and code size. When any user searches for an executable, for which it has singature available, it uses Google Search API to search for the actual executable using the signature. In case you are wondering this is the query string (simplified):
"Time Date Stamp: #{peinf[0]}” “Size of Image: #{peinf[1]}” “Entry Point: #{peinf[2]}” “Size of Code: #{peinf[3]}”

Probably Google haven’t yet indexed most of the malware. A search of first two signatures returned no results in Google.

What is the impact?
To create malware signature, and hence enable search for that malware, it has to be procured by the site somehow. That makes this site no different from any malware repository. Such sites can be easily targeted by law enforcement officials and closed. The damaging potential is elsewhere. The malware signatures are available to public and can be easily distributed throughout the internet. Even in that case it is realtively easy for Google to block searches for these specific signatures.

So in essence the idea has gimmick value but is of limited potential even to hackers and can cause limited damage in the long run.