In its latest Malicious Page of the Month report, Finjan provides a step-by-step example of corporate data theft by a Trojan that successfully avoided traditional passive web security solutions
San Jose, CA, USA, October 29th 2008 – Finjan Inc., a leader in secure web gateway products, today announced that its Malicious Code Research Center (MCRC) has documented step-by-step how corporate data were being stolen and stored on remote servers owned by criminals. In its October 2008 Malicious Page of the Month report, Finjan describes how a corporate user, while browsing the web for his regular business needs, got infected with a Trojan.
The individual who worked for a large media company was just browsing leading consumer websites and reading news on consumer electronics products websites as part of their normal working day, but as cybercriminals had compromised some of these legitimate websites and injecting malicious code into web pages the individual downloaded a Trojan onto their PC without the knowledge of them or their organisations IT security defences. The organisation did have a URL filtering technology in place but the problem of legitimate websites being serving malware serving sites is one of the greatest challenges facing URL filtering products in today’s dynamic web environment and in this case it failed to protect the user. The media company had a second layer of defence in the form of anti virus installed at the gateway but it also failed to detect and block the Trojan due to the fact that it was obfuscated.
Once the Trojan was installed it “phoned home” to the command-and- control Crimeserver (based on the West coast of the USA) and followed the instructions to go to other domains and download additional files which also executed undetected and unknown by the innocent employee who continued to work on their email, write business plans and log into corporate systems. The additional programs logged al this activity and forwarded it to a “drop Crimeserver” (based on the East coast of the USA). This is the tale of just one of the many thousands of unfortunate individuals whose personal and corporate data was captured on the drop Crimeserver. With the data stolen criminals could log onto the email accounts of corporate executives, access supplier and payment systems, steal intellectual property
“Finjan’s analysis of live end user behaviour has revealed that 80% of the malicious code detected by behavioural based security engines is obfuscated”, said Yuval Ben-Itzhak, CTO of Finjan. “This type of attack vector can bypass signature based technology such as anti virus or intrusion detection systems which were not designed to cope with these types of dynamic web scenarios. Organisations that continue to rely on reactive security technologies put them and their users at risk.”
The report outlines in far more detail the following:
- How the corporate PC got infected by the Trojan;
- What happened just after the malware was installed on that corporate PC;
- What the Trojan looked for on that infected PC;
- Where the stolen corporate data was stored;
- What type of stolen data was found on a remote server owned by the cybercriminal
“Despite the existing passive web security solutions that the company was using, such as traditional anti-virus signatures and a URL-filtering database, it could not prevent this Trojan from infiltrating the network and compromising confidential data,” said Yuval Ben-Itzhak, CTO of Finjan. “This case shows once again how dynamic code obfuscation enables cybercriminals to plant “invisible” malicious code that infects a user’s machine as soon as the user visits a website with malicious content.”
The case described in the current MPOM October 2008 report, confirms the cybercrime evolution that Finjan has been following and reporting on for the last years:
· Evolution of malicious obfuscated code – MPOM September 2008
· Cybercrime organization structure and modus operandi – Web Security Trend Report Q2, 2008
· Crimeware-as-a-Service – Web Security Trend Report Q1, 2008
· Evasive attacks, designed to evade anti-virus or the URL filtering – Web Security Trend Report Q2, 2007
· Hackers play “Hide and Seek” – Web Security Trend Report Q4, 2006
· The Commercialization of malicious code – Web Security Trend Report Q2, 2006
According to Finjan, traditional web security products, such as anti-virus or URL-filtering databases, are limited in preventing today’s cybercrime attacks targeting businesses. Their passive nature consisting of attempts to match a known malicious code or URL to a database of known signatures is by its nature limited in preventing today’s attacks. A different technology is therefore needed.
Real-time content inspection is the optimal way to detect and block dynamically obfuscated code and similar types of advanced cybercrime techniques, since it analyzes and understands the code embedded within web content or files in real time – before it reaches the end-users.
The research is described in detail in Finjan’s latest “Malicious Page of the Month” report released today.
To download the report, please visit http://www.finjan.com/mpom
About MCRC
MaliciousCodeResearchCenter (MCRC) is the leading research department at Finjan, dedicated to the research and detection of security vulnerabilities in Internet applications, as well as other popular programs. MCRC’s goal is to stay steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as Spyware, Trojans, Phishing attacks, worms and viruses. MCRC shares its research efforts with many of the world’s leading software vendors to help patch their security holes. MCRC is a driving force behind the development of next generation security technologies used in Finjan’s proactive web security solutions. For more information, visit our MCRC subsite.
About Finjan
Finjan is a global provider of web security solutions for the enterprise market. Our real-time, appliance-based web security solutions deliver the most effective shield against web-borne threats, freeing enterprises to harness the web for maximum commercial results. Finjan’s active real-time web security solutions utilize patented behavior-based technology to repel all types of threats arriving via the web, such as spyware, phishing, Trojans and obfuscated malicious code, securing businesses against unknown and emerging threats, as well as known malware. Finjan’s security solutions have received industry awards and recognition from leading analyst houses and publications, including Gartner, IDC, Butler Group, SC Magazine, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security. With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential. For more information about Finjan, please visit: www.finjan.com.
© Copyright 1996-2008. Finjan Software Inc. and its affiliates and subsidiaries. All rights reserved.
All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, use or sell any part of its content in any way without the express permission in writing from Finjan. Information in this document is subject to change without notice and does not present a commitment or representation on the part of Finjan. The Finjan technology and/or products and/or software described and/or referenced to in this material are protected by registered and/or pending patents including European patent EP 0 965 094 B1 and U.S. Patents No. 6092194, 6154844, 6167520, 6480962, 6209103, 6298446, 6353892, 6804780, 6922693, 6944822, 6993662, 6965968, 7058822, 7076469, 7155743, 7155744, 7185358, 7418731, and may be protected by other U.S. Patents, foreign patents, or pending applications.
Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote, Window-of-Vulnerability, and Finjan RUSafe are trademarks or registered trademarks of Finjan Inc., and/or its affiliates and subsidiaries. All other trademarks are the trademarks of their respective owners.
: 
