Crimeware toolkit targets 10,000 trusted sites
By Davey Winder in Editorial
Posted in Data Protection, Blog, Spyware, Security, Internet on
The Finjan Malicious Code Research Center is reporting that a crimeware Trojan named ‘random js toolkit’ is threatening to turn highly trusted websites into lucrative money making traps for the online underworld. It has identified in excess of 10,000 sites in the US which have been infected by the toolkit Trojan in December alone, and the actual figure is likely to be much higher as it is an extremely elusive little bugger which can avoid detection unless some kind of real-time code inspection technology is being used.
The payload, unsurprisingly, is the theft of data from the machines of those unlucky enough to get infected. Data such as documents, passwords, surfing habitats, pretty much anything and everything required to do the identity theft thing.
Finjan has published an in-depth report covering a random js toolkit attack, but the basics are as follows:
The random js attack is performed by dynamic embedding of scripts into a webpage. It provides a random filename that can only be accessed once. This dynamic embedding is done in such a selective manner that when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analysis. random js toolkit is a JavaScript code that is created dynamically and changes every time it is being accessed, making it almost impossible to be detected by traditional signature-based anti-malware products because signaturing dynamic script or exploiting code is not effective. Even keeping an up to date list of very dodgy domains cannot fully protect against such a dynamic exploit. “What’s needed to counter this exploit is dynamic code inspection technology that can detect and block an attack in real time” Yuval Ben-Itzhak, Finjan CTO explains “this technology doesn’t depend on the origin URL, signature or the site’s reputation, but inspects the Web content in real-time, as served. It analyzes the code’s intentions before enabling it be executed on the end-user browser.”
Of course, although extremely worrying as an individual exploit, the bigger picture is even scarier right now. Finjan reckon that at least 30,000 new infected web pages are being created every single day and around 80 percent of them will hosting malicious software or drive-by downloads were actually located on hacked or hijacked machines.
Did I mention that the above statistics were from the middle of 2007 and that Ben-Itzhak tells me that “today the situation is much worse.”
Rated: 100% (3 votes)
Loading ...Comment by Richard - January 15, 2008 on 12:31 pm
Well I guess using Firefox and NoScript is a bit of help - depends on what you want from the site I suppose.
Do you have any advice for the cautious user to help avoid this little gem?
Comment by JED SLADE - May 4, 2008 on 7:36 pm
The only way i can see is to disable java script.i came across an infected webpage today dealing with barges for sale,this is the site—etnofest.nsk.ru/documents/image/sebastion-likan/thumbs/nobugcoe.htmlo–it requested you click on and download an active x module,which turned out to be a porn film,on not playing it,the real culprit pops up–XP INLINE SCANNER–a 2008 program which downloads trojans,nasty cookies,virus and other real bad naughtiness,in order to force you into buying/using/downloading the XP SCANNER.pure poison,avoid like the plague.
Make a comment
Tag cloud
Archives
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
Most commented posts
- Cuil frozen out: market share drops to next to nothing
20 comments
- Windows XP: the invincible OS
- Gatecrashing the WiFi hotspot party
- The 24 year old software that is still going strong
- Home workers are sick
- Big Brother Apple
- Spear phishing Catch 22 for Salesforce.com
- Dumbest phisher in history revealed
- Is BT misleading consumers with Option 2 broadband?
- Why ecommerce fails
Highest Rated Blog Posts
- Why ecommerce fails (100%)
- Betting on Hubdub technology (100%)
- Chinese whispers as government implicated in UK hack attacks (100%)
- Crimeware toolkit targets 10,000 trusted sites (100%)
- Black Hat risk to migrating VMs (100%)
- Tough on cyber crime, tough on the causes of cyber crime (100%)
- Firefox 3, Beta 4, Enhancements 900, Tested 5 (100%)
- Slowly slowly catchee Government IT monkey (100%)
- Who needs another set of web standards? (100%)
- The 6.5 billion quid hello (100%)