News Stay informed about the latest enterprise technology news and product updates.

Trojan toolkit infected 10,000 Web sites in December

Finjan's Malicious Code Research Center has uncovered an attack toolkit used to infect Web sites that are typically considered trustworthy. It infected 10,000 sites in December.

Attackers infected at least 10,000 trusted Web sites with malware last month using the Random.JS Trojan toolkit, according to Web gateway security vendor Finjan Inc.

 Keeping an up-to-date list of 'highly-trusted-doubtful' domains serves only as a limited defense against this attack vector.
Yuval Ben-Itzhak,
chief technology officerFinjan Inc.

Finjan's Malicious Code Research Center (MCRC) warned that Random.JS is an exceptionally sneaky Trojan that infects the targeted machine and sends data from the machine back to the bad guys controlling it via the Internet. Finjan CTO Yuval Ben-Itzhak said in an interview Thursday that data stolen by the Trojan can include documents, passwords, surfing habits and other forms of sensitive information.

"Random.JS uses varying methods to remain undetected and keep spreading," he said. "It is able to break antivirus signatures and store malware on legitimate sites."

The attack is described in detail in Finjan's latest "Malicious Page of the Month" report, available on the Finjan Web site. The Random.JS toolkit is a piece of JavaScript code that morphs every time it is accessed, Ben-Itzhak said. As a result, it's nearly impossible to detect with traditional signature-based anti-malware products.

"Signaturing a dynamic script is not effective," he said. "Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches. Keeping an up-to-date list of 'highly-trusted-doubtful' domains serves only as a limited defense against this attack vector."

Trojan attacks:
Storm rages again: Self-morphing Trojan uses blogs to spread rootkits A new variant of the Storm Trojan that changes with each download is infecting blog sites with malicious URLs, intercepting traffic when visitors try to post comments.

Experts predict Storm Trojan's reign to continue: While estimates of its size and scope vary, security researchers say the Storm Trojan's grip is here to stay.

How to remove a Trojan downloader

The Random.JS attack is performed by dynamic embedding of scripts into a Web page, he said. It provides a random filename that can only be accessed once and is done in such a selective manner that when a user receives an infected page once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses.

Finjan has alerted administrators of infected sites and the malicious code has since been removed.

Ben-Itzhak said Random.JS reflects a trend where hackers are trying to undermine trusted sites. In mid-2007, he said, studies indicated nearly 30,000 new infected Web pages being created per day. About 80% of infected pages have hosted malware or have used drive-by downloads to inject malicious content onto victims' machines.

In September, Ben-Itzhak warned that cybercriminals need less technical expertise to conduct attacks to steal credit card numbers and other sensitive information thanks to a rising number of software packaged toolkits that automate most of the technical work. Once purchased for only a few hundred dollars, the toolkit can be installed on a server to begin harvesting data. A software program produces reports that show attack successes and failures, how many users are infected and the location of the most lucrative targets. It also automatically receives exploit updates on new vulnerabilities that hackers are finding.

The list of attack toolkits includes MPack, NeoSploit, IcePack, WebAttacker, WebAttacker2 and MultiExploit, along with newer toolkits like Random.JS, vipcrypt, makemelaugh and dycrypt.

Other security vendors have warned of the rising use of attack toolkits in recent months, including Symantec Corp., which released its own report on the threat last year.

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.