New Hack Attacks Can't Be Blacklisted
Posted On Tuesday, January 15, 2008 at at 1/15/2008 09:18:00 PM by nullReferring to the malware known as "random js toolkit," Andrew Storms, director of security operations for nCircle Network Security, said, "While a blacklist may help some users... it's no substitute for a good set of layered defenses... Security managers need to take a more active role in using management tools."
The security Relevant Products/Services firm Finjan says it has discovered a major new type of malware Relevant Products/Services that has infected more than 10,000 Web sites in December alone. Deemed "random js toolkit," it is a Trojan that infects end users' PCs and sends data from the infected machine to the "master" hacker. It can be used to steal passwords, documents and other sensitive information.
The malware dynamically creates and changes JavaScript code every time it is accessed, Finjan said. Thus, traditional anti-malware programs can't identify it.
Finjan CTO Yuval Ben-Itzhak said in a release, "Signaturing a dynamic script is not effective. Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches. Keeping an up-to-date list of 'highly-trusted-doubtful' domains serves only as a limited defense against this attack vector."
Dynamic Embedding
"What's needed to counter this exploit is dynamic code inspection technology that can detect and block an attack in real time," Ben-Itzhak said. "This technology doesn't depend on the origin URL, signature or the site's reputation, but inspects the Web content in real time, as served. It analyzes the code's intentions before enabling it be executed on the end-user browser."
Cyber criminals are intent on undermining trusted Web sites, Ben-Itzhak said. "In mid-year 2007, studies showed there were nearly 30,000 new infected Web pages being created every day. About 80 percent of those pages hosting malicious software or containing drive-by downloads with damaging content were located on hacked legitimate sites. Today the situation is much worse."
The attack works by dynamic embedding of scripts into a Web page, Finjan said. The dynamic embedding is done so selectively that "when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests," the company said, so it can't be detected in forensic analyses.
Managers Must Be Proactive
"While dynamically changing malware is nothing new, this piece of code appears to be having some success in subverting the typical malware scanning systems," said Andrew Storms, director of security operations for nCircle Network Security. "While a blacklist may help some users... it's no substitute for a good set of layered defenses."
Storms added that this development shows Web site managers can no long play "the game of Whack-A-Mole." Rather, he said, "Security managers need to take a more active role in using policy and configuration management tools to ensure their Web sites and servers aren't vulnerable to attacks in the first place."
Among the 10,000 sites that have been infected are sites run by the University of California at Berkeley and Teagames Limited. Those organizations have been alerted, Finjan said, and the compromised sites are no longer online.