AOH :: ISN-3136.HTM

Exploit code hiding in cache servers

Exploit code hiding in cache servers
Exploit code hiding in cache servers 

By John E. Dunn
12 October 2006

Malicious code is living on weeks after it has been removed from 
websites thanks to an unexpected culprit - cache servers.

According to Finjan Software, which has just released its latest Web 
trends report, caching technology used by search engines, ISPs and large 
companies has been discovered to harbour certain kinds of malicious code 
even after the website that hosted it has been taken down.

Such "infection-by-proxy" code can remain in caches for as long as two 
weeks, giving it a "life after death" at a time it would conventionally 
be assumed to have been neutralised. Although caching does not always 
save copies of everything on a website, it will still store code 
embedded in html, including programming formats such as Javascript.

The company offered details of how code designed to exploit a number of 
vulnerabilities in Microsoft products from 2003 and 2004 was able to 
continue in the public domain thanks to it hiding in the cache servers 
of one of three unnamed search engines.

Although old, there is no reason why the same issue wouldnt apply to 
recent issues on an unlimited scale, depending on the nature of the code 
and the way it was buried within cacheable content. And code pointing to 
malware such as Trojans would remain because of the issue, raising the 
level of risk further.

"This is more than just a theoretical danger. It is possible that 
storage and caching servers could unintentionally become the largest 
'legitimate' storage venue for malicious code," said Finjans CTO Yuval 
Ben-Itzhak. "Almost every malicious website out there has a copy on a 
cacheing server," he told Techworld.

The services affected by the cached malware had been informed in August. 
"What our latest report shows is that current processes to remove such 
malicious content from the Web are simply not going far enough to combat 
this very serious and growing threat."

This type of threat counts as new, though there have been several 
instance of malicious code using search engines to spread in other ways. 
In May, a McAfee report claimed that search engines were now a major 
channel for the inadvertent spread of malware by returning infected 
sites in search results.

Visit the InfoSec News store! 

Site design & layout copyright © 1986-2014 CodeGods