Finjan Inc. announced that its Malicious Code Research Center has identified yet another significant new web attack - the latest in a genre of crimeware that threatens to turn highly trusted web sites into insidious traps for unwary visitors. The random js toolkit was detected using Finjan's patented real-time code inspection technology while diagnosing users' web traffic during December 2007. The random js toolkit is a JavaScript code that is created dynamically and changes every time it is being accessed. As a result, it is almost impossible to be detected by traditional signature-based anti-malware products.
More than 10,000 websites in the US were infected in December by this latest malware. The attack, which Finjan has designated "random js toolkit," is an extremely elusive crimeware Trojan that infects an end user's machine and sends data from the machine via the Internet to the Trojan's "master", a cybercriminal. Data stolen by the Trojan can include documents, passwords, surfing habitats, or any other sensitive information of interest to the criminal. Ben-Itzhak noted that the random js toolkit is an example of the recent trend among cybercriminals to undermine 'trusted' web sites.
The attack is described in detail in Finjan's latest "Malicious Page of the Month" report released. The report explores the new attack vector in depth, providing an illustration of the attack in action, as captured "in the wild"; an analysis of the effectiveness of its evasive techniques; examples of high-ranked and trusted domains that were compromised by this attack technique; and an analysis of a successful exploitation. The random js attack is performed by dynamic embedding of scripts into a webpage. It provides a random filename that can only be accessed once.
"Signaturing a dynamic script is not effective. Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches. Keeping an up-to-date list of 'highly-trusted-doubtful' domains serves only as a limited defense against this attack vector," stated Finjan CTO Yuval Ben-Itzhak.
This report describes findings related to a new genre of crimeware Trojans that utilize regular Web 2.0 technology and websites to provide cybercriminals with an easy and scalable command and control scheme. The latest “Trojan 2.0” attacks exploit the trust that legitimate web services enjoy vis-a-vis reputation-based security services.
"What's needed to counter this exploit is dynamic code inspection technology that can detect and block an attack in real time," commented Ben-Itzhak. "This technology doesn't depend on the origin URL, signature or the site's reputation, but inspects the Web content in real-time, as served. It analyzes the code's intentions before enabling it be executed on the end-user browser."
This dynamic embedding is done in such a selective manner that when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses. Finjan's research into the random js toolkit found that around 10,000 legitimate domains served the malicious code in December. Among the infected web sites, Finjan identified highly trusted domains. Finjan alerted administrators of both sites, and the malicious code was subsequently removed from the sites and is no longer active.
Software Security Solutions, Inc., a technology firm specializing in security solutions for small and medium-sized businesses, published a guide to aid firms in the task of building layered security protection for vulnerable networked environments. The guide helps clarify how SMBs should evaluate anti-virus software and includes links to independent testing laboratories that provide unbiased reports on all major players as well as the increasingly important "second-tier" companies in the anti-virus field..jpg&max=85)
