There was an article I found in my surfing time about viruses, from PcWorld, Google Binary Search help Identify Malware. Google have a little-known capability to search binaries, that will be useful to search malware and virus binaries across the internet. This google hacks have been implemented by metasploit research team, to provide a good interface and signature database of viruses and malwares. The malware search interface is accessible at http://www.metasploit.com/research/misc/mwsearch/.
In the project information, there are description on how it works, and they also provides ruby script to generate signatures, search for binaries from the signatures and also to download them, basically just wget it.
The installation I did on Fedora works just smooth, installed ruby 1.8.6, ruby-google and also soap4r. ruby-google connects to Google API using SOAP, therefore I have to install Soap4r first, then ruby-google.
This is a sample of 1 virus found, Message.pif (Worm.Bagle.N-1)
this is the clamscan result:
Message.pif: Worm.Bagle.N-1 FOUND
———– SCAN SUMMARY ———–
Known viruses: 152764
Engine version: 0.91.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Time: 2.592 sec (0 m 2 s)
This is the sample usage of the ruby scripts:
$ ./mwsig.rb Message.pif
$ ./mwsearch.rb 4053c6c2:00010000:0000e5b0:00005000
# ./mwdownload.rb bin to_download
Resolving archives.neohapsis.com… 22.214.171.124
Connecting to archives.neohapsis.com|126.96.36.199|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 21,871 (21K)
100%[=================================================================================================================>] 21,871 21.57K/s
09:17:59 (21.55 KB/s) – `bin/0.bin’ saved [21871/21871]
This is the sample search in google.com. It have 4 main information to search for:
1: Virus/malware name
2: Time & date stamp
3: Size of Image
4: Entry Point
5: Size of code
All of these information are basically the last 4 segment in the signatures, created by mwsig.rb