Malware: The Undead

Thanks to cache servers, some malicious code lives on - even after it has supposedly been eradicated

Tim Wilson, Editor in Chief, Dark Reading, Contributor

October 17, 2006

1 Min Read

Is there life after death? If you're malicious HTML code, there might be.

Researchers at Finjan Software Inc. say they have uncovered several instances in which malware from previously disabled Web sites or pages has reappeared, served up by caching systems that don't recognize the trouble.

"Such 'infection-by-proxy' introduces new risks for businesses," says Finjan's Malicious Code Research Center in its quarterly Web security trends report. "This is more than just a theoretical danger -- Finjan has already found such a scenario being used in the wild."

ISPs, search engines, and large enterprises often create large stores of cached Web pages on their systems to provide backup when a Web page is unavailable or slow to load, Finjan observes. These duplicate pages live on, even after a malicious site has been taken down or quarantined.

When the cached pages are served up, they carry with them whatever malware may have been attached to the original page via HTML or JavaScript. This malware can be used to install spyware or Trojan horses, even after the threat has supposedly been eradicated.

"Traditional security solutions might not be effective against this type of threat," Finjan says. URL filtering technology, for example, might block the original malicious site, but caching sites are generally treated as legitimate, the researchers observe. Anti-virus technology may also fail to catch the problem, because some malicious Websites are taken down before their exploits have a chance to build a virus signature.

Finjan advises enterprises and ISPs that use caching servers to perform periodic checks of their cached content using proactive, behavior-based security software.

— Tim Wilson, Site Editor, Dark Reading

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights