Attackers infected at least 10,000 trusted Web sites with malware last month using the Random.JS Trojan toolkit, according to Web gateway security vendor Finjan Inc.
Finjan's Malicious Code Research Center (MCRC) warned that Random.JS is an exceptionally sneaky Trojan that infects the targeted machine and sends data from the machine back to the bad guys controlling it via the Internet. Finjan CTO Yuval Ben-Itzhak said in an interview Thursday that data stolen by the Trojan can include documents, passwords, surfing habits and other forms of sensitive information.
"Random.JS uses varying methods to remain undetected and keep spreading," he said. "It is able to break antivirus signatures and store malware on legitimate sites."
"Signaturing a dynamic script is not effective," he said. "Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches. Keeping an up-to-date list of 'highly-trusted-doubtful' domains serves only as a limited defense against this attack vector."
The Random.JS attack is performed by dynamic embedding of scripts into a Web page, he said. It provides a random filename that can only be accessed once and is done in such a selective manner that when a user receives an infected page once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses.
Finjan has alerted administrators of infected sites and the malicious code has since been removed.
Ben-Itzhak said Random.JS reflects a trend where hackers are trying to undermine trusted sites. In mid-2007, he said, studies indicated nearly 30,000 new infected Web pages being created per day. About 80% of infected pages have hosted malware or have used drive-by downloads to inject malicious content onto victims' machines.
In September, Ben-Itzhak warned that cybercriminals need less technical expertise to conduct attacks to steal credit card numbers and other sensitive information thanks to a rising number of software packaged toolkits that automate most of the technical work. Once purchased for only a few hundred dollars, the toolkit can be installed on a server to begin harvesting data. A software program produces reports that show attack successes and failures, how many users are infected and the location of the most lucrative targets. It also automatically receives exploit updates on new vulnerabilities that hackers are finding.
The list of attack toolkits includes MPack, NeoSploit, IcePack, WebAttacker, WebAttacker2 and MultiExploit, along with newer toolkits like Random.JS, vipcrypt, makemelaugh and dycrypt.
Other security vendors have warned of the rising use of attack toolkits in recent months, including Symantec Corp., which released its own report on the threat last year.