, SecurityFocus 2008-01-14
Thousands of legitimate Web sites are hosting an infection kit that evades detection by attempting to compromise each visitor only once and using a different file name each time, Web security firm Finjan warned on Monday.
The attack, dubbed the "Random JS toolkit" by the security firm, currently uses dozens of hosting servers and more than 10,000 legitimate domains to attempt to exploit the systems of visitors to the sites, the company said in an analysis posted to its Web site. The compromised sites host the malicious code -- foregoing the
iframe redirect that has increasingly been used by attackers -- and serves up the attack to each visitor only once using a random file name each time. The two techniques, along with more traditional code obfuscation, makes the attack difficult to find, said Yuval Ben-Itzhak, chief technology officer for Finjan.
"This attack uses three different methods to go undetected by signature-based or URL-based defenses," Ben-Itzhak said. "If you realize that you've been infected, and you go and search sites, you will not be able to find the site that infected you."
The Random JS toolkit attack is the latest malicious code to use two stages: First, infecting a Web site with an infection kit or
iframe which would then redirect visitors to at least two domains, uc8010.com and ucmal.com, hosting malicious code.
Security firm Finjan first detected the Random JS Toolkit in mid-December and spent the rest of the month analyzing the code, Ben-Itzhak said. Previous attacks have used random Web page names to foil defenses based on keeping track of malicious Web addresses, or URLs, and used a database of Internet addresses of known Web crawlers to attempt to avoid tipping off security firms. However, the Random JS toolkit is the first malicious software to marry these two techniques so successfully, Ben-Itzhak said.
A client-side honeypot -- or honeymonkey, as Microsoft calls them -- could detect the Random JS attack from a specific Web site, but if a second machine using the same Internet address returns to the site, it would not receive the malicious code. The sites infected by the Random JS toolkit include pages at the University of California, Berkeley's Web site and Teagames.com, according to Finjan.
The attack is a logical progression of the techniques used by attackers on the Web, said Roger Thompson, chief research officer for antivirus firm AVG.
"The 'single copy to single person' is to make it hard for researchers to get a crack at it," he said. "That has been done since the WebAttacker days of 2005. What it means is that (researchers) have to get (their) snapshots down the first time and have a pool of addresses to get a second and third copy of the program."
Antivirus companies have increasingly had to deal with the influx of variants for each threat generated by obfuscation code, Thompson said. By the end of 2007, the total number of variants of computer viruses, worms and Trojan horses had climbed to between 360,000 and 500,000, according to numbers released by two antivirus firms in the past month.
The actual malicious code served to visitors by the sites compromised by the Random JS Toolkit attempts to exploit computers using 13 different vulnerabilities, the company said. The Trojan horse program steals the victim's login credentials to access online banks. The software uses encrypted communications to a number of sites hosted in the United States to return the information to the criminal group behind the attack, the analysis found.
While Finjan's analysis underscored the difficulty in detecting the toolkit, AVG's Thompson stressed that defenders would quickly adapt.
"It is likely another kit, like the MPack and IcePacks of the world," Thompson said. "It is not startling, just interesting... and another part of the puzzle that further indicates that the Web is the emerging battleground."
Finjan did not attempt to determine how well current antivirus software performed in detecting the malicious Trojan horse used by the Random JS toolkit. Symantec, a competitor to Finjan and AVG, owns SecurityFocus.
If you have tips or insights on this topic, please contact SecurityFocus.