June 24, 2006

Some Google Results Are EXE Files


I've posted earlier that you can find all kinds of file types in Google index, including EXE files. Claudiu Spulber reports that you can find innocent-looking sites that redirect to EXE files with spyware.

If you search for ["Signature: 00004550"], you'll find 192,000 results (if Google's count is accurate), mostly executables. Google indexes the file's headers and if you look at the cache, you'll see something like this:

WINDOWS EXECUTABLE
32bit for Windows 95 and Windows NT
Technical File Information:
Image File Header
Signature: 00004550
Machine: Intel 386
Number of Sections: 0003
Time Date Stamp: 3b7dc821
Symbols Pointer: 00000000

What's interesting is that the results have addresses that make you think there's nothing wrong with them (like crcdatatech.com/help), they don't have an EXE extension and when you go to the site you're prompted to download the file. And if you click "run" instead of "save" or "cancel", prepare for the worst.

I think Google should remove all dangerous files from their index (EXE, MSI, COM, REG) and that should be an easy task, as they have a very similar pattern.

Gmail doesn't allow you to attach EXE files or ZIP archives that contain EXE files.

16 comments:

  1. i agree 100%. Microsoft finally woke up to the executable file threat spread by email, so what's the benefit to getting any kind of Internet result that leads directly to the same threat? Eliminate executables from the indexes. If a user wants that file, they can go to the site that hosts it, or the page that has a standard link to it.

    ReplyDelete
  2. I disagree totally. People need to be educated to the potential threats of running unknonw executables but after that, it should be a matter of individual choice.

    I find the executable ban in gmail quite frustrating as a developer. There are legitimate reasons for sending these files. I am an adult and I would prefer to be treated as such and not nannyed by any corporation.

    ReplyDelete
  3. There's no reason that you can't have the best of both worlds. Either Google can provide an option to allow or disallow results with executable filenames, or when you click on a link to the executable they can provide a warning about the potential dangers before allowing you to continue. Either way, this can be set as a personal preference which automates what happens at the time of the search or when a link to an executable is clicked.

    ReplyDelete
  4. Hey, that's not censorship. If you want to find the setup of a software, search for [name-of-the-software download]. You shouldn't find direct links on Google.

    You always need the context of the file (information, license, requirements, changes). If you search for an image on Google Images, you get the image and the page that includes the image.

    Besides, most of these sites try to trick people. If you had a software called Nautilus, would you buy a domain like trynautilus.com that would redirect to an EXE file?

    ReplyDelete
  5. A straight up ban on almost anything is not a good thing. There are legitimate uses for everything ever invented. Its just some people use them for doing harm, instead of good.

    Ban: No
    Education + Options : Yes, please.

    ReplyDelete
  6. The threat comes from this. You've set up a page and optimized it for instance to rank on the first page of results when searching for Skype (might happen). Now, you do a redirect from that page to an exe file (called skype_setup.exe for instance) that you've added a couple of "gifts" to. Given that are thousands of searches for "skype" each day, your result will be clicked eventually by some "not-so-geeky" users and they will run the exe (because he thinks is the genuine setup for skype). And while skype installs, the spyware installs in the background. That's the threat I'm talking about.

    And a real example. On the second page of results when searching for Backup4all - genuine clean program by the way - (http://www.google.com/search?q=backup4all&hl=en&lr=&start=10&sa=N) there is such an exe that's called something like ultraedit_12... I've downloaded it on a test computer and monitored how it installs some chinese version of Ultraedit and also in the background all the spyware cra* you can think of. Now, if this would have been a result when searching for Ultraedit, would have been much more dangerous.

    ReplyDelete
  7. I often search google for the-filename-i-need.exe (instead of going to those ad-infected download sites to find a suitable mirror. Google should filter out executable files when users do not specifically search for "main-site-and-mirrors-are-down-is-the-file-anyplace-else-on-the-net.exe" or "my-file" filtype:exe

    ReplyDelete
  8. Just have EXEs filtered out by default and then have the option to change preferences...sort of like how safesearch on by default, but there is the option to turn it off.

    ReplyDelete
  9. If you block EXE files, you might as well block TXT files too. Could be an evil shell script. And APP files, for those Mac people. And JPEGs are dangerous; they could be crafted so to exploit a new security hole.

    No, best to index everything but have the option to not search EXE files. Or throw up a warning. Or do something-- but blocking an EXE completely means pretty much everything except for plain vanilla HTML files would have a case for their removal.

    ReplyDelete
  10. Do these EXEs have a meaningful content-type? I mean are they perhaps on wrongly configured servers not sending a binary HTTP header? (Is there even a "correct" MIME type for EXEs?)

    ReplyDelete
  11. Here's one header:

    HTTP/1.x 200 OK
    Server: Microsoft-IIS/5.0
    Date: Wed, 28 Jun 2006 19:56:59 GMT
    X-Powered-By: ASP.NET
    Connection: close
    Content-Type: application/octet-stream; name=SmartDownload.exe
    content-disposition: inline; filename=SmartDownload.exe

    ReplyDelete
  12. The threat comes from this. You've set up a page and optimized it for instance to rank on the first page of results when searching for Skype (might happen). Now, you do a redirect from that page to an exe file (called skype_setup.exe for instance) that you've added a couple of "gifts" to. Given that are thousands of searches for "skype" each day, your result will be clicked eventually by some "not-so-geeky" users and they will run the exe (because he thinks is the genuine setup for skype). And while skype installs, the spyware installs in the background. That's the threat I'm talking about.

    And your point being?
    If people are silly enough to run random executables from untrusted sites, they deserve to get whatevers coming to them. Education is the answer, not censorship.

    I dont even find it that concerning that the links dont contain an .exe extension, You'll still be prompted by your browser...

    I'd say definatly add an option to not search for exe files, maybe add some warnings to the search results themselves, or even go as far as to add a 'splash page' when you click on an EXE warning of the dangers involved. Just dont block them outright :/


    Oh, as for the exe attachments in GMail, I'm a developer too, and yes pconroy i'm sure we're all well aware that we can zip and rename our files. :/

    Unfortunately I send out upwards of 20 builds a day. Already thanks to outlook / exchange / antivirus tools / etc trying to send exes over email is just pointless, and zipping and renaming every file I send takes up a suprising chunk of my time.

    Yet another situation where the general public's expectation of everything being 'idiot-proof' is going to bite people in the a55, just long enough for em to kick up a stink and ruin it for those of us with a clue.


    "I am an adult and I would prefer to be treated as such and not nannyed by any corporation."

    Couldn't have put it better myself.

    ReplyDelete
  13. What's an EXE file? I've never seen one of those on any of my operating systems. Good, one thing less to worry about...

    ReplyDelete
  14. I'm also surprised that the Gmail/Google system still relies on EXTENSIONS rather than piping everything through find--or, being the developers they are, just integrate find with their crawler; geez, it's not as if they don't have that computational power. I mean, why would they take the effort to generate a beautifully formatted very very verbose synopsis about the EXE files when you click "View as HTML?"

    ReplyDelete
  15. I think that people need to learn a little about computers before jumping on the internet and doing stupid things.

    ReplyDelete
  16. is that the point? Did you know that you can still send INFECTED files through emails too with Antivirus on it? Shit- i'm out of milk..!! lol

    ReplyDelete

Note: Only a member of this blog may post a comment.