Cache Servers Keeping Exploit Code Alive

1960's architecture writes, "At last some evidence that exploit code is hiding on servers used to cache website content. According to Techworld, Israeli outfit Finjan has come up with evidence that real exploits have hidden on cache servers used by large search engines, effectively extending their life for periods of weeks after the original website had been taken down. The exploits detailed are from 2003-2004, but the principle would still apply to any exploit website around today, and any cache servers used by any one of the three unnamed search engines. It's almost literally malware 'life after death.'"

So let me get this straight

The brilliant study says: "content available as cache, even after the original source is not there, for some time"?

Bravo! Bravo! Revolutionary thought!

Taking down?

What's the use of relying on a site been taken down?

You should patch your software in any case, otherwise the exploit still works if it is put somewhere else.

Security through censorship. Wonderful.

Exactly. The people behind this "discovery" seem to think that the best way to combat security holes is to go after the exploit demonstration code, rather than, say, actually fixing the problem.

That's what's really frightening; that there are exploits that have been in the wild and in the hands of the black hats for three years, which still have not been patched.

Those "exploit sites" are not the enemy here. If anything, they're a powerful tool that lets the 'good guys' be on equal footing, or near equal footing, with the bad guys, who are probably trading exploits around in IRC channels regardless of whether they're on the WWW or cached or not.

What about e-muggers?

Hey sucka, gimme your cache!

How about fixing the problem instead?

How about fixing the problem that's exploited rather than try to hide the problem's existence in the first place?

More needs to be done

... and think of all those old hard disks with exploits on them. We need to go to the dump and degauss all of them, NOW! C'mon people, this is a security issue.

gimme a break, a cache is a cache, it's supposed to have old information, even if that information is wrong, or destructive.

news to me

i guess i'm going to show my complete ignorance of web development and teh intarweb at large, but here goes:

why on earth would something get cached if it is malware infected/contains exploits without being cleaned at some future time when said malware or exploits are discovered?

i know the caching is an automated process, but the caches themselves aren't scanned for malware/code exploits like the live sites?

Re:news to me

If by "like the live sites" you mean "not at all", then yes, they're scanned exactly the same.

Fun with /.'s helpful link host's name feature

Blah [yahoo.com]

Yahoo's cache can be addressed at rds.yahoo.com (compared to Google's cache, which uses IP addresses with no associated hostnames). Thus, all the various message boards that use the slashdot style of putting the domain name of the host will show yahoo.com even if it might be serving up an IE exploit that was hosted at mynastystuff.ru, increasing chances of click through. MSN uses a resolvable name for their cache as well, but it's at least identifiable as msncache.com rather than just msn.com.

Obligatory...

Nothing for you to see here.

Just us trojans invisibly taking over your system.

1994 called, they want their Hugo Winner back

Excerpts from Vernor Vinge's [wikipedia.org] A Fire Upon The Deep [amazon.com]

How to explain? How to describe? Even the omniscient viewpoint quails.

A singleton star, reddish and dim. A ragtag of asteroids, and a single planet, more like a moon. In this era the star hung near the galactic plane, just beyond the Beyond. The structures on the surface were gone from normal view, pulverized into regolith across a span of aeons. The treasure was far underground, beneath a network of passages, in a single room filled with black. Information at the quantum density, undamaged. Maybe five billion years had passed since the archive was lost to the nets.

The curse of the mummy's tomb, a comic image from mankind's own prehistory, lost before time. They had laughed when they said it, laughed with joy at the treasure ... and determined to be cautious just the same. They would live here a year or five, the little company from Straum, the archaeologist programmers, their families and schools. A year or five would be enough to handmake the protocols, to skim the top and identify the treasure's origin in time and space, to learn a secret or two that would make Straumli Realm rich. And when they were done, they would sell the location; perhaps build a network link (but chancier that -- this was beyond the Beyond; who knew what Power might grab what they'd found).

So now there was a tiny settlement on the surface, and they called it the High Lab. It was really just humans playing with an old library. It should be safe, using their own automation, clean and benign. This library wasn't a living creature, or even possessed of automation (which here might mean something more, far more, than human). They would look and pick and choose, and be careful not to be burned.... Humans starting fires and playing with the flames.

The archive informed the automation. Data structures were built, recipes followed. A local network was built, faster than anything on Straum, but surely safe. Nodes were added, modified by other recipes. The archive was a friendly place, with hierarchies of translation keys that led them along. Straum itself would be famous for this.

[...]

"Then you know that an archive is a fundamentally vaster thing than the database on a conventional local net. For practical purposes the big ones can't even be duplicated. The major archives go back millions of years, have been maintained by hundreds of different races -- most now extinct or Transcended into Powers. Even the archive at Relay is a jumble, so huge that indexing systems are laid on top of indexing systems. Only in the Transcend could such a mass be well organized and even then only the Powers could understand it."

"So?"

"There are thousands of archives in the Beyond -- tens of thousands if you count the ones that have fallen into disrepair or dropped off the Net. Along with unending trivia, they contain important secrets and important lies. There are traps and snares." Millions of races played with the advice that filtered unsolicited across the Net. Tens of thousands had been burned thereby. Sometimes the damage was relatively minor, good inventions that weren't quite right for the target environment. Sometimes it was malicious, viruses that would jam a local net so thoroughly that a civilization must restart from scratch. Where-Are-They-Now and Threats carried stories of worse tragedies: planets kneedeep in replicant goo, races turned brainless by badly programmed immune systems.

P

OMG!!! Exploits from 2003-2004!!!

Think Microsoft has patched them yet?

Isn't the idea to fix the exploit?

I thought that if an exploit was discovered, systems that could be infected were patched, rather than worrying too much about the virus itself staying in the wild.

Sure, a lot of caches can keep very old content (the Wayback Machine www.archive.org would be a good example). But spread infection is mainly prevented by immunising systems, not by removing all known traces of the virus / trojan / etc. Bacteria and viruses can live in harsh conditions (relative to those that they require to thrive) but immunisation is how we battle them. Sterilisation is a big part of localised treatments (small to medium sized networks) but impractical across the whole net.

So this is hardly big news is it? Caches holding copies of *content* people want to suddenly make unavailable, now that's an issue.

Easy solution for future exploits

<META NAME="ROBOTS" CONTENT="NOARCHIVE">
<META NAME="msnbot" CONTENT="noarchive">

Done.

Hiliriously Stupid Article

This is more than just a theoretical danger.

Yeah, if you're running your vulnerable server code out of the same cache. ;-)

"What our latest report shows is that current processes to remove such malicious content from the Web are simply not going far enough to combat this very serious and growing threat."

That's because removing the content doesn't combat the threat at all. Fixing the bugs that allow malicious code to work, is the only way to combat the threat.

It is useless to try to put genies back into bottles.

Once its on the web, it will always be available

Whenever there's an article about MySpace or Xanga, there are always people talking about how once you've published something to the web, you should assume it will always be available to anyone who wants it, even if you decide later you want to take it down.

A kid may write on their xanga about how drunk they got thursday night, then decide to take it down saturday, but it's always possible a future employer could come up with it anyway. Likewise, developers should assume that any exploits that have ever been mentioned on the web will always be available to anyone who wants them. Once has been published on the web, you can't make it disappear. End of story.

Wayback machine

So, does the Wayback machine keep exploits forever?

It's kinda like Polio and Malaria...

This article has (here on /.) already raised the question "Why can't we stamp out the viral code from archives?" Well, let's take a lesson here from biology.

The human race took two different solutions to polio and malaria. (I'm not a doctor, so forgive any minor inaccuracies.)

With malaria, we took the "stamp out the viral archive" approach. We tried to kill the carriers - the mosquitos. If we can eliminate all the mosquitos that carry the infection (like eliminating old internet caches), nobody will have to worry about getting infected. Well, guess what - it didn't work. Malaria is a HUGE problem in many third-world countries, routinely killing a million Africans a year and costing $12 BILLION annually in Africa alone (see last week's WashPost Magazine article for details; registration required: http://www.washingtonpost.com/wp-dyn/content/artic le/2006/10/04/AR2006100400127.html [washingtonpost.com]). The problem? You simply can't squash all the bugs. Only recently has attention turned to developing an artificial method of immunity from the disease, so that the bugs won't matter (at least, from that perspective).

With polio, we took the approach that preventing infection was the key. We innoculated EVERYONE, so that even if the virus surfaced, it wouldn't cause infections. It's proven to be a largely effective solution, with only a few periodic pockets of infection occurring in remote parts of Africa where the youngest are not innoculated afresh. And that problem is fairly easy to control.

Same thing here. Forget the archives. That's naive. Instead, focus on better immunity.

Snooze

So what? I find exploit code all the time, week, months, years after the fact. It's called Packet Storm Security [packetstormsecurity.org] or elsewhere.

Hell, google.com cache pages are great for shit like this.

Almost literally?

It's almost literally malware 'life after death.'

But is it almost literally, or literally almost? What would make it true life after death? (Literally)

Old exploits...

To the tone of a speech by a famous U.S. General --

"Old (xxploits) never die, they only (hid) away (in proxy cache...)"

Whatever happened to what they used to do...

Does anyone else remember when if you wanted to be sure something would remain available for a few weeks, you just posted it to usenet?

Like Joe Rogan said

Trying to get something off of the internet is like trying to get pee out of a pool.

Why not just patch the vulnerabilities? If publishers would fix their shortcomings then it wouldn't be an issue.

LK

ummm...

You don't fix security holes by trying to track down all the code that exploits it on the web, you fix security holes by fixing the software containing the security hole. So, it doesn't matter how long this stuff stays in anybody's cache.

Re:it's history

why erase it?

Because that's what you do with bits of history that you don't like.
Or you can take the easy way out and just revise it.

on with the slashdot mantra

Its important to cache, so you can find jems like this! [google.com]

Re:this is batshit insane

That is exactly what I thought. I don't understand what the issue is.

Re:this is batshit insane

Umm, the problem isn't exploits that attack the web server they're running on, it's exploits that attack the browser they're being viewed with, making the cache sites as dangerous to users as the original sites with the exploits on them. Or, at least, dangerous to those users who still use an unpatched copy of IE that's vulnerable to these old exploits. And really, viewing a cache of a formerly malicious site is probably the least likely way they're going to get exploited.