19th
New crimeware toolkit infects over 10,000 U.S. Websites
http://www.echannelline.com/canada/story.cfm?item=DLY021108-3
Finjan Inc. says its Malicious Code Research Center (MCRC) has identified yet another significant new Web attack — the latest in a genre of crimeware that threatens to turn highly trusted Websites into insidious traps for unwary visitors. The attack, which Finjan designated as “random js toolkit”, is an extremely elusive crimeware Trojan that infects an end user’s machine and sends data from the machine via the Internet to the Trojan’s “master” (read: cyber-criminal).
More than 10,000 Websites in the U.S. were infected in December by this latest malware, the company said. Data stolen by the Trojan can include documents, passwords, surfing habitats, or any other sensitive information of interest to the criminal.
Finjan is a San Jose, Calif.-based vendor of real-time secure gateway and anti-crimeware solutions.
The attack is described in detail in Finjan’s latest “Malicious Page of the Month” report. Among other things, that report stated in order to safeguard end users from these malicious Web threats, businesses should opt for real-time inspection technologies that analyze each piece of Web content regardless of its URL, context, and appearance. “Attempts to pattern malicious code and create signatures, or to categorize known malicious sites, are clearly too little, too late when it comes to providing adequate protection to today’s dynamic and evasive Web threats.”
The random js toolkit is a JavaScript code that is created dynamically and changes every time it is being accessed. As a result, it is almost impossible to be detected by traditional signature-based anti-malware products. Explained Finjan CTO Yuval Ben-Itzhak, “Signaturing a dynamic script is not effective. Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches. Keeping an up-to-date list of ‘highly-trusted-doubtful’ domains serves only as a limited defense against this attack vector.”
What’s needed to counter this exploit is dynamic code inspection technology that can detect and block an attack in real time, Ben-Itzhak said.
“This technology doesn’t depend on the origin URL, signature or the site’s reputation, but inspects the Web content in real-time, as served,” he said. “It analyzes the code’s intentions before enabling it be executed on the end-user browser.”
Ben-Itzhak noted that the random js toolkit is an example of the recent trend among cyber-criminals to undermine trusted Websites.
“In mid-year 2007, studies showed there were nearly 30,000 new infected Web pages being created every day. About 80 percent of those pages hosting malicious software or containing drive-by downloads with damaging content were located on hacked legitimate sites. Today the situation is much worse.”
The attack is executed by way of the dynamic embedding of scripts into a Web page. It provides a random filename that can only be accessed once. This dynamic embedding is done in such a selective manner that when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses, the company said.
To download the report, visit http://www.finjan.com.
