New malware toolkit thwarts AV

Random JS Toolkit allows attackers to create threats that only attempt to victimize an individual computer in the same manner a single time to protect against discovery by anti-virus systems

Web gateway filtering specialist Finjan is reporting a new toolkit that uses randomized JavaScript to stay hidden from virus crawlers and deliver its payload via compromised Web sites.

Dubbed by Finjan's Malicious Code Research Center (MCRC) as the "Random JS Toolkit," the malware development package is allowing attackers to create threats that only attempt to victimize an individual computer in the same manner a single time to protect against discovery by anti-virus systems and researchers' automated "crawlers."

By dynamically changing the JavaScript employed to deliver each variant of attack being created, and by using random file names that are only delivered to the same machine or IP address once, Finjan researchers said the malware authoring package is meant to avoid the programs used by AV researchers to find new threats emerging on the Web.

Typically when automated crawler programs come across new attack samples, they return to the threats' source URLs to verify their names and characteristics and to create signature files that allow their products to block the programs -- or they enter the sites onto so-called blacklists of compromised domains.

However, once a machine has been infected with an attack made using the Random JS Toolkit, the threat will recognize that the machine has already been targeted and won't attempt to download it again, thereby thwarting efforts to identify or track the exploits, Finjan experts contend.

During the month of December 2007, Finjan estimates that more than 10,000 individual sites were compromised with attacks built using the Random JS Toolkit. Most of the URLs serving as distribution points for the attacks were legitimate sites that had been hijacked, the company said.

Among the infected sites were some that would qualify as well-known, highly trusted domains, said Yuval Ben-Itzhak, chief technology officer of Finjan.

Ben-Itzhak said the toolkit serves as a prime example of the types of tactics he expects leading-edge malware authors to utilize more frequently in the coming year.

"We've found the initial 10,000 sites, but we're sure that there are many more that have already been infected. When we can find this number of exploits, it is clear that this must be a very significant attack that has affected a lot of people," he said. "Using the combination of techniques available in this toolkit, the threats that are being created can become very powerful and stay alive to infect people for longer periods of time."

Among the types of malware infections being served up using the toolkit, Finjan has observed everything from Trojan viruses and keystroke loggers to botnet recruiting programs, he said.

For its part, Finjan's real-time code inspection technology can defend against such threats because it eschews the use of traditional virus signatures or blacklists in favor of constant monitoring for any malware activity coming across a network armed with one of its devices, Ben-Itzhak maintains.

Rival AV vendors, including Symantec, contend that features such as the market leader's recently developed "generic exploit prevention," based on behavioral cues, should also be able to isolate and defend against such emerging attacks.

Unlike the widespread iFrame attacks that proliferated across the Web during 2007, threats created using the Random JS Toolkit will also be much harder for security researchers to track down because they do not lead back to central sites where the actual malware code itself is hosted, Finjan maintains.

Since the involved malware code is loaded directly on a site, and it won't attempt infect the same computer or IP address twice, traditional URL blacklisting and signature-based techniques will likely prove futile against the attack, the company said.

However, from what the security appliance vendor can deduce, Ben-Itzhak said the firm believes there is only one malware group currently using the toolkit.

"From what we can tell, all the information flowing back from the compromised sites is heading to the same server," he said. "This indicates that there is probably only one group controlling this malware code thus far, and that they are probably being very successful; this is just another step forward for the criminals involved to continue to improve their attack methods and remain undetected."

Ben-Itzhak said that the involved server is not one that matches any of the company's lists of machines controlled by well-known malware authoring groups such as the Russian Business Network. The server the company is tracking was originally located in Europe, but has recently been moved to China -- and likely will continue to be moved around to avoid detection, according to the expert.

Most of the data the security company has seen being sent to the server has been related to online banking username and password data, he said.

As part of its investigation, Finjan discovered that one of the Web properties infected with the randomized JavaScript attacks was an online advertising network that serves up as many as 14 million online banner ads per week. The security device maker reported that unnamed company was informed and is currently working to clean out its systems.