In its latest Malicious Page of the Month report, secure web gateways firm Finjan has provided a step-by-step example of corporate data theft by a Trojan that successfully avoided normal passive web security solutions.
It describes how a corporate user, while browsing the web for regular business updates, got infected. Because cybercriminals had compromised some of the legitimate websites and injected malicious code into web pages he was viewing, the Trojan was downloaded despite the company’s IT security defences.
The organisation concerned did have URL filtering, but the problem of legitimate websites serving malware is that they fail to protect the user. The company also had a second layer of defence in the form of anti-virus installed at the gateway, but that too failed to detect and block the Trojan because it was obfuscated.
Once the Trojan was installed it ‘phoned home’ to the command-and- control Crimeserver (based on the West coast of the USA) and followed the instructions to go to other domains and download additional files, which also executed undetected. The additional programs logged all the user’s ongoing business activity and forwarded it to a ‘drop Crimeserver’.
“Finjan’s analysis of live end user behaviour has revealed that 80% of the malicious code detected by behavioural based security engines is obfuscated,” comments Yuval Ben-Itzhak, CTO of Finjan.
“This type of attack vector can bypass signature-based technology, such as anti-virus or intrusion detection systems, which were not designed to cope with these types of dynamic web scenarios. Organisations that continue to rely on reactive security technologies put them and their users at risk.”