For the past year, I've been writing about the use of iframes to compromise legitimate Web sites with links to malicious code servers. It's easy for criminal hackers to compromise a site if it is poorly managed and open to cross-site scripting attacks (think ma-and-pa e-commerce sites). Over the summer, automated versions of these attacks compromised thousands of travel, hotel, and restaurant sites in a matter of course. But there's a flaw with iframes; the malicious servers are often identified and blocked. Unfortunately, this posed only a temporary setback for criminal hackers.

Over the last several weeks, researchers at Finjan, an Israeli security company, have been monitoring the use of a new malware kit that uses new tricks designed to thwart conventional antimalware applications. One trick disguises the malware upon second visit to the Web site, making it a nonpersistent threat that's hard to classify. Despite these tricks, Finjan was still able to find more than 10,000 sites infected with this new toolkit and offers some details about the attack.

Javascript
I spoke with Finjan's CTO, Yuval Ben-Itzhak, about this new Random JS toolkit. "The JS is for JavaScript because the filename includes random characters of, and the extension of JavaScript." Details about the toolkit can be found in Finjan's January 2008 release of its periodic Malicious Page of the Month report.

	The newly discovered toolkit basically encrypts the payload of the malicious code to break all the signatures of our antivirus product so it will become invalid. But that's old school.

Like other malware toolkits we've seen this one also allows criminal hackers to purchase and be able infect thousands of people with remote-access malware that can capture passwords or other personal information. And like those other toolkits, Random.js also uses techniques such as code obfuscation. According to Ben-Itzhak, the newly discovered toolkit "basically encrypts the payload of the malicious code to break all the signatures of our antivirus product so it will become invalid." But that's old school.

Not iframe, something else
What's so different about the Random JS toolkit is that, instead of redirecting your browser to another Web server, the malware is hosted on the compromised legitimate site itself. Ben-Itzhak said, "They're hosting the actual Trojans that they're about to install on the end-user machine, on the legitimate Web site, or other legitimate sites that they're linking to." This sneaky trick alone works, because most safe surfing tools won't blacklist previously legitimate Web sites.

When the user visits a site the first time, the malicious code will be served. However, if the user visits the same site a second time, the malicious code will not be served.

"Today when the malicious code is hosted on legitimate sites, URL databases will not block this stuff because it can be on popular game sites, or university sites, or music sites, or blog sites." Within the last six weeks, Finjan discovered more than 10,000 legitimate sites compromised by this Random.js toolkit.

Antiforensics
The second trick employed by this new toolkit effectively hides the malware once it's been deposited on a victim's PC. "That means when the user visits a site the first time, the malicious code will be served. However, if the user visits the same site a second time, the malicious code will not be served, and it's very simple to achieve that, just by storing the IP address of the user on a database on that compromised Web site. So the malicious code will not be served again."

Why are they doing this? Ben-Itzhak said, "Well, if your computer got infected with a Trojan…you'll read the browser history on all the sites that you visited and try to search for the malicious one. But you won't find it. If you have a crawler that is crawling the entire Web looking for malicious code…this crawler will probably misclassify that site." In other words, this is a nonpersistent threat.

This toolkit is not infallible, however
So if you combine these three methods-- the obfuscation to break signatures, storing the malicious code on a legitimate site, and this antiforensic technique--Ben-Itzhak says Random.js can stay active for a much longer time than malware created from other toolkits. But that's doesn't mean it's invincible.

"In our reports…we researched the Trojan horses that this toolkit is trying to install. We wanted to see what data it's trying to collect, and where it's sending this data. What we found out is that all these 10,000 Web sites are using the same Trojans, they're all sending the data to the same place."

Foiled again
Whether the malware is hosted remotely or on the compromised site, the fact that the bad guys need to send the data somewhere has once again tripped them up. Finjan and others are now able to block traffic to that site. Ben-Itzhak also says, "It's clearly indicating that this is one group that was very successful in compromising these sites and collecting a lot of data from many, many innocent people and businesses that got infected."

To keep your browser from stumbling upon recently compromised Web sites, I recommend trying either Finjan Secure Browsing or Grisoft. Both of these security applications are free and, unlike other safe browsing applications, both are dynamic, meaning they'll examine the Web page as it is that moment, not 10 minutes ago.

Do you currently use a safe surfing app along with your browser? TalkBack to me.