Security Incidents mailing list archives
Re: New Virus?
From: James Polley <zhasper () gmail com>
Date: Thu, 18 Aug 2005 09:56:52 +1000
I'm curious to know if anyone is able to reproduce Jim's results - I've not been able to. I searched for "blah deblahblah" (and I counted - 21 spaces in there - gmail may remove some of them when it sends this email) and I get, in fact, one result: http://divelsfoot.com/forums/member.php?u=41 This differs from Jim's result of a 403 page. I had a theory that this may be because I'm already logged into my gmail; but I checked from a different machine and I get the same result. The page I get shows the URL: http://www.google.com/search?hl=en&lr=&q=%22blah++++++++++++++++++++++deblahblah%22&btnG=Google+Search The content from this is pasted below.. I also decided to see what would happen if I changed the +s to " "s - ie, %20s. The results were rather ironic.. http://www.google.com/search?hl=en&lr=&q=%22blah%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20deblahblah%22&btnG=Google+Search gives me the same result as above, but also two additional links: http://securityfocus.com/archive/75/408341 http://archives.neohapsis.com/archives/incidents/2005-08/0009.html These are, ironically, Jim's original post telling me that I shouldn't be seeing any results.. Has anyone else been able to repoduce Jim's result? Did you mean: "blahdeblahblah" Divel's Foot - View Profile: rabbit ... Interests: Damned, Tool, Alice In Chains, The Who, Bad Religion, Circle Jerks, old school punk, blah deblahblah. Occupation: looking blankly at screens... ... divelsfoot.com/forums/member.php?u=41 - 22k - Supplemental Result - Cached - Similar pages In order to show you the most relevant results, we have omitted some entries very similar to the 1 already displayed. If you like, you can repeat the search with the omitted results included. Did you mean to search for: "blahdeblahblah" On 8/17/05, James C Slora Jr <Jim.Slora () phra com> wrote:
As I understand it, Google tries to reduce the effectiveness of malware downloaders that use Google to find their payloads, to reduce the effectiveness of vulnerability scan tools that search for and attack vulnerable web apps, and to reduce warez pub searching. Search for "(anything)(10 or more of certain characters such as spaces)(anything)" and Google returns the same message. So searches for any of the following will return the same 403 page: "woohoo.file .blah" "rogers.doc .exe" "blah deblahblah" "blah+++++++++++++++++++++++++++kupa" "test++++++++++++++++++++++" " " "+++++++++++++++++++" Searching for filenames with lots of white space is even less useful than other malware filename searches. And Google's 403 page does not indicate anything useful about this particular malware find.
-- There is nothing more worthy of contempt than a man who quotes himself - Zhasper, 2005
Current thread:
- New Virus? Alex Arndt (Aug 15)
- Re: New Virus? Eduardo Vela (Aug 16)
- RE: New Virus? The AV Vendors respond (long post) Alex Arndt (Aug 16)
- RE: New Virus? James C Slora Jr (Aug 16)
- Re: New Virus? James Polley (Aug 18)
- RE: New Virus? James C Slora Jr (Aug 18)
- Re: New Virus? Eduardo Vela (Aug 19)
- Re: New Virus? James Polley (Aug 18)
- <Possible follow-ups>
- Re: New Virus? dave_mikesch (Aug 15)
- RE: New Virus? Ragnar Harper (Aug 15)
- RE: New Virus? Harlan Carvey (Aug 15)