Posted on 01/14/2008 1:30:13 PM PST by Ernest_at_the_Beach
Web gateway filtering specialist Finjan is reporting a new toolkit that uses randomized JavaScript to stay hidden from virus crawlers and deliver its payload via compromised Web sites.
Dubbed by Finjan's Malicious Code Research Center (MCRC) as the "Random JS Toolkit," the malware development package is allowing attackers to create threats that only attempt to victimize an individual computer in the same manner a single time to protect against discovery by anti-virus systems and researchers' automated "crawlers."
By dynamically changing the JavaScript employed to deliver each variant of attack being created, and by using random file names that are only delivered to the same machine or IP address once, Finjan researchers said the malware authoring package is meant to avoid the programs used by AV researchers to find new threats emerging on the Web.
Typically when automated crawler programs come across new attack samples, they return to the threats' source URLs to verify their names and characteristics and to create signature files that allow their products to block the programs -- or they enter the sites onto so-called blacklists of compromised domains.
However, once a machine has been infected with an attack made using the Random JS Toolkit, the threat will recognize that the machine has already been targeted and won't attempt to download it again, thereby thwarting efforts to identify or track the exploits, Finjan experts contend.
During the month of December 2007, Finjan estimates that more than 10,000 individual sites were compromised with attacks built using the Random JS Toolkit. Most of the URLs serving as distribution points for the attacks were legitimate sites that had been hijacked, the company said.
Among the infected sites were some that would qualify as well-known, highly trusted domains, said Yuval Ben-Itzhak, chief technology officer of Finjan.
Ben-Itzhak said the toolkit serves as a prime example of the types of tactics he expects leading-edge malware authors to utilize more frequently in the coming year.
"We've found the initial 10,000 sites, but we're sure that there are many more that have already been infected. When we can find this number of exploits, it is clear that this must be a very significant attack that has affected a lot of people," he said. "Using the combination of techniques available in this toolkit, the threats that are being created can become very powerful and stay alive to infect people for longer periods of time."
Among the types of malware infections being served up using the toolkit, Finjan has observed everything from Trojan viruses and keystroke loggers to botnet recruiting programs, he said. Matt Hines is a senior writer at InfoWorld.
Continued.......
This is page 1 of 2......
*****************EXCERPT*********************
Most of the data the security company has seen being sent to the server has been related to online banking username and password data, he said.
As part of its investigation, Finjan discovered that one of the Web properties infected with the randomized JavaScript attacks was an online advertising network that serves up as many as 14 million online banner ads per week. The security device maker reported that unnamed company was informed and is currently working to clean out its systems.
What is so hard about making a robust virtual machine? Sandboxing all untrusted code in a robust VM would solve 99.99% of these attacks, would it not?
Microsoft users believe in simple stuff......
ie...what’s this Root password stuff....anyway?
I am beginning to wonder if notion of a "trusted Internet website" isn't obsolete. Noscript is a PITA but maybe it is now mandatory.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.