Hackers unleash 'insidious' crimeware attack

Finjan's Malicious Code Research Center said that more than 10,000 websites in the US were infected by this malware in December alone.

The attack, which the firm has designated 'random js toolkit', is an " extremely elusive" Trojan that sends data from infected machines direct to the malware author.

Stolen data can include documents, passwords, surfing habits or any other sensitive information of interest to the criminal.

The JavaScript toolkit is created dynamically and changes every time it is accessed. This makes it almost impossible for traditional signature-based anti-malware products to detect.

Yuval Ben-Itzhak, chief technology officer at Finjan, explained that signature-based detection for dynamic script is ineffective.

"'Signaturing' the exploiting code itself is not effective, since these exploits change continually to stay ahead of current zero-day threats and available patches," he said.

"Keeping an up-to-date list of 'highly-trusted/doubtful' domains serves only as a limited defence against this attack vector."

Ben-Itzhak added that the 'random js toolkit' is an example of the recent trend among cyber-criminals to undermine 'trusted' websites.

"Studies in mid-2007 showed nearly 30,000 infected web pages being created every day," he said.

"About 80 percent of pages hosting malicious software or containing drive-by downloads with damaging content were located on hacked legitimate sites. Today the situation is much worse."

The 'random js attack' is performed by dynamically embedding scripts into a webpage, providing a random filename that can be accessed only once.

This dynamic embedding is done in such a selective manner that when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests.

This method prevents detection of the malware in later forensic analyses.

Copyright ©v3.co.uk

attackcrimewarehackerssecurityunleash