Google indexes executables...

by santonov on July 21st, 2006 in Researcher Comments.

Revelation of the month: Google indexes executables!!. This news was met with a mixed reception from the computer security world - some commenting that this is a security risk, but also comments on how useful a feature this potentially can be.

Personally, I was quite excited to see the news, although rather surprised. While writing my Master thesis, I used the Google API heavily for searching and retrieving documents for use within university courses. After my heavy use of the Google API, I was naturally quite surprised to find out about this "Binary Indexing" method as this is something I never found while using the API.

That aside... the news opens up a world of possibilities for malware searching - both for finding new files, but also for finding existing content and flagging the URL's from which they originate. Apart from hiding their binaries in javascripts and rotating banner ads, the malware writers will find it very difficult to bury their files away from an engine that, lets face it, indexes everything! This is something that security company Websense have used to develop a tool to search for malware. Using the signatures that Google indexes (a unique indentifier based on the PE header of an executable file), and seatching for these with a list of defined "fingerprints", it is possible to flag files that exhibit some of the properties of malware files, though this may also generate a good deal of false positives.

This is a certainly a step forward in the fight and we look forward to seeing where it leads us....