Search engines, like Google, Yahoo and Bing offer users the ability to scour the plethora of information on the Internet. These search engines index content on websites and often maintain cached copies of these sites so that, in the event that the site is unavailable, visitors can still view the contents of the website.

Unfortunately, the idea of page caching has not been implemented well. In fact, page caching has opened up new opportunities for malware. The primary problem being that, from a security perspective, when search engines cache copies of websites, they are storing any malware that is present on the site on their own infrastructure as well.

Hackers Exploit Search Engine Page Caches

Most large search engines use some kind of malware analysis to determine if a website is compromised or not. Google for example, has a well tuned system with high accuracy. In our meeting with the Google malware team, some months ago, we were glad to find that they were already aware of this problem. In the weeks following our interaction, cached copies of infected websites were no longer easily available via searches.

Not so long ago, we wrote an article about our efforts to alert Yahoo of the presence of malware in the cached versions of various web pages served up by their search engine. Our efforts were not successful, although the occurrence of malware in Yahoo cached pages seems to have gone down significantly. Perhaps our messages were not entirely ignored.

Recently, an article came up on ISC SANS discussing this very same issue.

Recently, we have found instances of Bing serving up malware in their cached pages. It seems that Bing’s malware detection methods are not able to reliably detect malware on cached web pages. This keeps Bing from securing cached pages which contain malware for its users. We have provided screen shots below as an example of the issue. In this particular case, the strain of malware found in Bing cached pages has been around since 2009.

Search Engines Ignore the Problem

Consider the case where a malicious individual deliberately infects a website with malware and Bing (or another search engine) indexes it. The malicious individual can then send out hyperlinks pointing to the cached web pages hosted by Bing. Any kind of “reputation-checking” for the cached link will confirm that the page is hosted by a reputable company, in this case, Bing (Microsoft). However, the malware will still be able to deliver its payload. Just in case you’re thinking, “my antivirus will protect me from the malware on the cached page,” you may like to read this article.

It is surprising to see that search engines like Bing, which claim to implement malware detection, cannot correctly determine if a cached copy of a web page hosts malware! In these cases, Bing ends up an excellent attack vector for malicious individual.

It remains to be seen if search engine companies will continue to serve up cached pages laced with malware at the same time as they are touting active scan and detection mechanisms. Let’s hope this article can get attention in the upper echelons of management at these large search giants and they start to pay attention to this problem.

Screen shots follow below:

Report, Security bing, cache, engine, google, malware, pages, search, yahoo

Yahoo’s cached pages can be distributing malware.

Yahoo, has allowed users, for several years, to use the “cached pages” options displayed along with its search results on Yahoo-Search. Yahoo has partnered with McAfee’s SearchScan to provide safer searches since about May 2008. This is all good. The intention of providing safer searches to visitors is very noble. Google too, has led the pack in this direction by opening up its SafeBrowsing API and by providing visual warnings in search results boldly claiming “Warning visiting this website may harm your computer”.

Stopthehacker.com  has tried to communicate with executives at Yahoo since April 2009 about the potential problems that we have been observing in their cached pages. This has not been met with any real response.

The problem is simple, but very important. Cached versions of web pages displayed on Yahoo Search often contain malware code embedded in them. This is a phenomenon that we have observed repeatedly.

Consider one of our many attempts at communicating this issue to Yahoo (message shortened for brevity).

We have found that Yahoo’s cache results, even with SearchScan on, do not detect the presence of malware on its cached copies of webpages. I have attached some screen shots which prove the point.

Our scanners flagged the code in the cached copies right away. The site in question, for which I looked up Yahoo’s cache is http://www.xxxxxxxx.com

More info on our response to this site is available at http://xxxxxxxxxx.xxx/**stripped**

The screen shots attached with this post show an example of a website which was scraped by Yahoo’s spider, indexed and cached and then when accessed via its search results, pops up the malware code. There does not seem to be any kind of sanitization/scrubbing process going on in the background.

Worryingly, this problem gives rise to a very effective attack vector, where a malicious individual can compromise a site or even simply create a site that contains malicious code. Once the site is crawled by Yahoo’s spider, and is loaded in the cache, the link to this cached page becomes an excellent attack vector to use for social engineering, as it carries the sense of security that comes with Yahoo’s brand name. No need to exploit XSS/CSRF, no back-breaking hours of toil and sweat need to be put in discovering flaws in a site. Just get the infected pages cached in Yahoo! and voila, you have a live exploit launched from official Yahoo property.

Consider the fact that Yahoo search has 18% of the search market in October 2009, the number of visitors to the site is non-trivial! Moreover, Yahoo’s brand image can suffer, if this phenomenon becomes more wide spread or well-known.

Given my failed efforts to discuss this with Yahoo, at this point, I can only hope that this does not become more popular.

I cannot understand how Yahoo is employing SearchScan technology to provide safer search results to visitors, yet fails at the back-end to identify cached pages loaded with malware.

Till next time.

News, Security cache, injection, malware, yahoo