AxMan, Malware Search, and Bugle

If you read my Security Matters blog, you might remember me mentioning the Month of Browser Bugs, in which one new browser bug was to be posted to a Web site each day during the month of July. Well, July is over, but you can still read about all the browser bugs at the following URL:

The Month of Browser Bugs was driven by well-known security researcher H.D. Moore and some of his associates. Moore is probably best known as the developer of the Metasploit Toolkit. Moore has a couple other useful tools that you might not be aware of: AxMan and Malware Search.

According to Moore, "\[AxMan\] was used to discover and debug almost every single ActiveX flaw published during the Month of Browser Bugs." AxMan is an ActiveX fuzzer that can find bugs in COM objects through Microsoft Internet Explorer (IE). In case you don't know, a fuzzer injects random data into a program or object in an effort to find flaws or vulnerabilities. Moore recently made the AxMan package freely available for download. There's also an online demo you can try:

Malware Search is a search tool that uses Google queries to look for the "fingerprints" of known malware on the Internet. A fingerprint includes the date and time the malware was received, the size of the code image, the address entry point, and the size of the code itself. The tool consists of a set of scripts written in Ruby and comes with a database of several dozen signatures. One of the scripts lets you generate a new fingerprint when a new malware file pops up on your network. To perform a malware search or download the tool, go to the following URL:

Bugle, another new Web search tool by Emmanouel Kellinis, is essentially a list of search engine queries that look for possible security bugs in source code that has been indexed by Google. Bugle uses a "filetype" parameter along with function calls in the queries to specify the type of files to look in for the specific problematic function.

For example, one query finds possible SQL injection vulnerabilities by looking for the function call "executequery request.getparameter" in .java files. Another query finds possible cross-site scripting problems in Active Server Pages (ASP) applications by looking for "response.write request.form" in .asp files. At the time of this writing, Google returned 452 results for the first example and 149 for the second example.

Keep in mind that not every piece of code returned in the search results has vulnerabilities. The potential for a vulnerability typically depends on how the developer implemented the code, so you'll need to understand a bit about writing code in order to make a determination.

Kellinis invites the public to develop other queries and submit them for inclusion in his list. If you like to hunt for vulnerabilities or are curious about whether an application you're interested in using might contain vulnerabilities, bookmark the site and use it when the need arises.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.