Finjan has examined the new wave of Chinese attacks and the mechanisms used, and claims to have identified an "intricate network of connections" between China-based servers run by cyber-criminals.
The security firm has discovered that the entry points that initiate the attack on users "in the wild" exist all over the world and are eventually associated with servers registered as Chinese domains.
The attackers are spreading the assaults by placing entry points on a variety of websites in different regions and listed differently by URL categorisation engines.
The infection consists of either an Iframe or a Script tag placed on the website that causes users visiting the site to be attacked.
Examples for such entry point regions are shown in Finjan's December 2007 Malicious Page of the Month Report, and were found on trusted websites in the US, China and Western Europe, including government and education sites.
After the victim reaches an entry point, the attackers use dynamic code obfuscation methods to limit signature-based technologies from detecting the attack.
The victim is redirected to a series of sites containing Iframes that will eventually force the victim to visit a site that belongs to the Chinese network.
In the first part of the actual malicious attack, the cyber-criminals use new or known exploits that will infect the victim with a crimeware Trojan.
"After the initial Trojan is loaded it initiates the downloading of other Trojans from different locations. The compromised computer will then redirect to other sites in order to send statistical information about the infected PC," the firm stated.
"Finjan has discovered that different Trojans send encoded information to the same sites in China that we identified as being unique to the attack."
Sharp hike in cyber-attacks from China
By Robert Jaques on Dec 18, 2007 7:04AM