Nice .. Realy nice pointers H.D. !! :) I was thinking on different lines, possibly one can use magic values of different types of executables along with "filetype:" keyword.
For Example: EXE -- 0x5A4D NT -- 0x4550 OS2 -- 0x454E OS2 LE -- 0x454C VXD -- 0x454C Now, if one has to search for malicious binaries in the form of .scr, .com or .pif etc then (s)he can issue the following search keywords - "intext: signature: 5A4D" filetype:scr "intext: signature: 5A4D" filetype:pif "intext: signature: 5A4D" filetype:doc or (without using "intext") signature: 00004550 filetype:scr signature: 00004550 filetype:doc The results can be narrowed down using a signature database like the one being used here - http://metasploit.com/research/misc/mwsearch/sigs.txt Similar results can also be achieved using search keywords for specific details in a PE / LE header. For example - Search for ["intext: Image File Header" filetype:scr] gives almost the same result as ["intext: signature: 5A4D" filetype:scr] -d (aka t) www.hackingspirits.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of H D Moore Sent: Monday, July 17, 2006 10:29 AM To: [email protected] Subject: [Full-disclosure] Google Malware Search http://metasploit.com/research/misc/mwsearch/?q=bagle Enjoy, -HD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
