Trojan toolkit infected 10,000 Web sites in December

By Bill Brenner, Senior News Writer 14 Jan 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Attackers infected at least 10,000 trusted Web sites with malware last month using the Random.JS Trojan toolkit, according to Web gateway security vendor Finjan Inc.

Keeping an up-to-date list of 'highly-trusted-doubtful' domains serves only as a limited defense against this attack vector. Yuval Ben-Itzhak, chief technology officer, Finjan Inc.

Finjan's Malicious Code Research Center (MCRC) warned that Random.JS is an exceptionally sneaky Trojan that infects the targeted machine and sends data from the machine back to the bad guys controlling it via the Internet. Finjan CTO Yuval Ben-Itzhak said in an interview Thursday that data stolen by the Trojan can include documents, passwords, surfing habits and other forms of sensitive information.

"Random.JS uses varying methods to remain undetected and keep spreading," he said. "It is able to break antivirus signatures and store malware on legitimate sites."

The attack is described in detail in Finjan's latest "Malicious Page of the Month" report, available on the Finjan Web site. The Random.JS toolkit is a piece of JavaScript code that morphs every time it is accessed, Ben-Itzhak said. As a result, it's nearly impossible to detect with traditional signature-based anti-malware products.

"Signaturing a dynamic script is not effective," he said. "Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches. Keeping an up-to-date list of 'highly-trusted-doubtful' domains serves only as a limited defense against this attack vector."

Trojan attacks: Storm rages again: Self-morphing Trojan uses blogs to spread rootkits A new variant of the Storm Trojan that changes with each download is infecting blog sites with malicious URLs, intercepting traffic when visitors try to post comments. Experts predict Storm Trojan's reign to continue: While estimates of its size and scope vary, security researchers say the Storm Trojan's grip is here to stay. How to remove a Trojan downloader

The Random.JS attack is performed by dynamic embedding of scripts into a Web page, he said. It provides a random filename that can only be accessed once and is done in such a selective manner that when a user receives an infected page once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses.

Finjan has alerted administrators of infected sites and the malicious code has since been removed.

Ben-Itzhak said Random.JS reflects a trend where hackers are trying to undermine trusted sites. In mid-2007, he said, studies indicated nearly 30,000 new infected Web pages being created per day. About 80% of infected pages have hosted malware or have used drive-by downloads to inject malicious content onto victims' machines.

In September, Ben-Itzhak warned that cybercriminals need less technical expertise to conduct attacks to steal credit card numbers and other sensitive information thanks to a rising number of software packaged toolkits that automate most of the technical work. Once purchased for only a few hundred dollars, the toolkit can be installed on a server to begin harvesting data. A software program produces reports that show attack successes and failures, how many users are infected and the location of the most lucrative targets. It also automatically receives exploit updates on new vulnerabilities that hackers are finding.

The list of attack toolkits includes MPack, NeoSploit, IcePack, WebAttacker, WebAttacker2 and MultiExploit, along with newer toolkits like Random.JS, vipcrypt, makemelaugh and dycrypt.

Other security vendors have warned of the rising use of attack toolkits in recent months, including Symantec Corp., which released its own report on the threat last year.

Tags: Emerging Information Security Threats,  Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary