Didier Stevens

Friday 6 October 2006

Update: Google and the Drive-by Download

Filed under: Malware,Update — Didier Stevens @ 21:49

At the end of my post Google and the Drive-by Download, I wondered how prevalent such query results were.

This is an attempt to answer this question.

Here’s a Perl script that will execute Google queries and look for suspect URLs in the first page with a regular expression (remember, suspect URLs are of the form 123.1a2b3c.info). If you want to use the script on your Windows machine and don’t have a Perl interpreter, you can use ActiveState’s free ActivePerl.

Since I have no list of common Google queries used here in Belgium, I included a simple algorithm in my program to generate its own queries. They look like this: name profession. I feed my program with a list of frequently occurring last-names in Belgium and a list of professions you might want to search for (like a plumber).
Here’s the output of my program:

Suspect queries:

613.6x2q1y.info http://www.google.be/search?hl=fr&q=Thys+Blanchisseur

4859.4rhw0hk.info http://www.google.be/search?hl=fr&q=Gerard+Plombier

Suspect URLs:



2 suspect queries out of 2322 queries (0.0861326442721792%).

About 1 out of 1000 queries (looking for a profession) list a drive-by download site on the first result page. That’s not too bad, but still a surprising result to me.

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.