Finjan uncovers insidious new variant of crimeware

Internet security firm Finjan’s Malicious Code Research Centre identified the web attack, which it has designated ‘random js toolkit’. The firm describes it as “an extremely elusive crimeware Trojan that infects an end user’s machine and sends data from the machine via the Internet to the Trojan's master, a cybercriminal”. Data stolen by the Trojan can include documents, passwords, surfing habitats, or any other information. The malware toolkit was detected using Finjan’s real-time code inspection technology while diagnosing users’ web traffic during December. The attack is described in detail in Finjan’s latest ‘Malicious Page of the Month’ report, which provides an illustration of the attack in action, an analysis of the effectiveness of its evasive techniques and examples of high-ranked and trusted domains that were compromised. The random js toolkit is a JavaScript code that is created dynamically and changes every time it is being accessed. As a result, it is almost impossible to detect by traditional signature-based anti-malware products. Says Finjan CTO Yuval Ben-Itzhak: “Signaturing a dynamic script is not effective. Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches. Keeping an up-to-date list of ‘highly-trusted-doubtful’ domains serves only as a limited defence against this attack vector. “What’s needed to counter this exploit is dynamic code inspection technology that can detect and block an attack in real time. To download the report, visit http://www.finjan.com/Content.aspx?id=1367