A significant new Web attack, the latest in the genre of crimeware that threatens to turn highly trusted Web sites into insidious traps for unwary visitors, has been identified by Finjan's Malicious Code Research Center (MCRC). The attack designated "random js toolkit" by Finjan, is an extremely elusive crimeware Trojan that infects users' machines and sends data via the Internet to the Trojan's master.
Data stolen by the Trojan could include documents, passwords, surfing habitats, or any other sensitive information. Basically, the "random js" attack is done by dynamic embedding of JavaScript code into a Web page. It provides a random filename that can only be accessed once. This dynamic embedding is done in such a way that when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests. As a result, it is almost impossible for the Trojan to be detected by traditional signature-based anti-malware products. According to Yuval Ben-Itzhak, chief technology officer of Finjan, this exploit can be countered using dynamic code inspection technology that can detect and block an attack in real time. Dynamic code inspection technology doesn't depend on the origin URL or signature, or the site's reputation, but inspects Web content in real time, as it is served. The technology analyzes the code's intentions before enabling it be executed on the end-user browser. The "random js toolkit" is an example of the recent trend among cyber criminals to undermine user confidence in trusted Web sites. More than 10,000 Web sites in the US were infected in December 2007 by this latest malware. Around the middle of 2007, studies showed there were nearly 30,000 new infected Web pages being created every day. And about 80 percent of the pages hosting malicious software or containing drive-by downloads with damaging content were located on hacked legitimate Web sites.
