New Mutating Toolkit Trojan Infects Thousands
The new crimeware Trojan, which was first detected by San Jose-based security company Finjan, infected more than 10,000 Web sites in December alone and has likely affected hundreds of thousands of sites throughout 2007, experts say. Finjan researchers also assert that the number of affected sites will rise exponentially in the next 12 months, due to the fact that the toolkit enables attackers with very little experience to rapidly infect an enormous amount of machines in a short amount of time.
"You don't need any security experience," said Yuval Ben-Itzhak, Finjan chief technology officer. "You can just install it on the server and start to infect people with the Trojan horses."
The new attack, which was given the name "random js toolkit," is an elusive and sophisticated Trojan that has the ability to infect and send data from the end users' machines via the Internet to the Trojan's command center, which is controlled by the malware creators. Data stolen by the Trojan can include documents, passwords, surfing habitats or any other sensitive or personally identifying information, which can then be used for criminal purposes or sold on the blackmarket.
Unlike other crimeware Trojans, the random js. toolkit uses a three-fold method of attack that includes breaking the antivirus signature, encrypting the code and finally deploying an antiforensic method that only allows malicious code to be delivered the first time a user accesses an infected Web site—all unbeknownst to the user.
"This is the most successful method we see to distribute Trojan Horses," said Ben-Itzhak. "Just by visiting the (malicious Web) site you get infected. Today these attacks are designed to make you feel that everything is okay."
In order to stealthily evade detection, the random js toolkit is a JavaScript code that mutates every time it is accessed, making it difficult, if not impossible, to detect with signature-based antimalware technology. When scripts are embedded into the Web page, they provide a random filename that can only be accessed one time. Once a user accesses a page with the embedded malicious script, the code will not be served again on subsequent requests, which prevents detection of the malware in future analysis.
Ben-Itzhak said that this latest crimeware method represents a continuing trend of attacks that use trusted Web sites to deploy data stealing malware. Because the elusive Trojan is adept at evading most antivirus software, Ben-Itzhak recommends that end users should protect their machines with technology that doesn't rely on updating signatures or URLs.