Malware: The Undead

Is there life after death? If you're malicious HTML code, there might be.

Researchers at Finjan Software Inc. say they have uncovered several instances in which malware from previously disabled Web sites or pages has reappeared, served up by caching systems that don't recognize the trouble.

"Such 'infection-by-proxy' introduces new risks for businesses," says Finjan's Malicious Code Research Center in its quarterly Web security trends report. "This is more than just a theoretical danger -- Finjan has already found such a scenario being used in the wild."

ISPs, search engines, and large enterprises often create large stores of cached Web pages on their systems to provide backup when a Web page is unavailable or slow to load, Finjan observes. These duplicate pages live on, even after a malicious site has been taken down or quarantined.

When the cached pages are served up, they carry with them whatever malware may have been attached to the original page via HTML or JavaScript. This malware can be used to install spyware or Trojan horses, even after the threat has supposedly been eradicated.

"Traditional security solutions might not be effective against this type of threat," Finjan says. URL filtering technology, for example, might block the original malicious site, but caching sites are generally treated as legitimate, the researchers observe. Anti-virus technology may also fail to catch the problem, because some malicious Websites are taken down before their exploits have a chance to build a virus signature.

Finjan advises enterprises and ISPs that use caching servers to perform periodic checks of their cached content using proactive, behavior-based security software.

— Tim Wilson, Site Editor, Dark Reading