New malware toolkit thwarts AV

Web gateway filtering specialist Finjan is reporting a new toolkit that uses randomized JavaScript to stay hidden from virus crawlers and deliver its payload via compromised Web sites.

Dubbed by Finjan's Malicious Code Research Center (MCRC) as the "Random JS Toolkit," the malware development package is allowing attackers to create threats that only attempt to victimize an individual computer in the same manner a single time to protect against discovery by anti-virus systems and researchers' automated "crawlers."

By dynamically changing the JavaScript employed to deliver each variant of attack being created, and by using random file names that are only delivered to the same machine or IP address once, Finjan researchers said the malware authoring package is meant to avoid the programs used by AV researchers to find new threats emerging on the Web.

Typically when automated crawler programs come across new attack samples, they return to the threats' source URLs to verify their names and characteristics and to create signature files that allow their products to block the programs -- or they enter the sites onto so-called blacklists of compromised domains.

However, once a machine has been infected with an attack made using the Random JS Toolkit, the threat will recognize that the machine has already been targeted and won't attempt to download it again, thereby thwarting efforts to identify or track the exploits, Finjan experts contend.

During the month of December 2007, Finjan estimates that more than 10,000 individual sites were compromised with attacks built using the Random JS Toolkit. Most of the URLs serving as distribution points for the attacks were legitimate sites that had been hijacked, the company said.

Among the infected sites were some that would qualify as well-known, highly trusted domains, said Yuval Ben-Itzhak, chief technology officer of Finjan.

Ben-Itzhak said the toolkit serves as a prime example of the types of tactics he expects leading-edge malware authors to utilize more frequently in the coming year.

"We've found the initial 10,000 sites, but we're sure that there are many more that have already been infected. When we can find this number of exploits, it is clear that this must be a very significant attack that has affected a lot of people," he said. "Using the combination of techniques available in this toolkit, the threats that are being created can become very powerful and stay alive to infect people for longer periods of time."

Among the types of malware infections being served up using the toolkit, Finjan has observed everything from Trojan viruses and keystroke loggers to botnet recruiting programs, he said.

For its part, Finjan's real-time code inspection technology can defend against such threats because it eschews the use of traditional virus signatures or blacklists in favor of constant monitoring for any malware activity coming across a network armed with one of its devices, Ben-Itzhak maintains.

Rival AV vendors, including Symantec, contend that features such as the market leader's recently developed "generic exploit prevention," based on behavioral cues, should also be able to isolate and defend against such emerging attacks.