Finjan reveals Trojan activity involves Chinese websites
1 min read
PCs are being infected by Trojans distributed from China, which distribute content using obfuscated code and a network of websites to bypass information security technology, and before stealing company data.
That’s the warning from secure web gateway products developer Finjan. The firm says its Malicious Code Research Centre (MCRC) has detected malicious activity from a centralised group based from China, with one of the websites belonging to a Chinese governmental office.
The discovery came about as a result of Finjan investigating what it describes as “a very sophisticated attack that used zero-day exploits [malware for which there is no security patch] as well as other new hacking techniques”.
Finjan researchers say they found that some sites in the network lead to Trojan sites that exploit the users’ browser and then download the Trojan and install it. Once a user’s PC has been infected, the Trojan starts to send data to other websites in the network, and these, it says, are hard to detect.
Additional sites in the network monitor and control the attack using statistics about how many users visit the site and how many got infected. The Trojans also collect data from the user, including which operating system is used, applications running, personal information such as user names and passwords, and what security systems are installed, AV, Spam, firewalls, etc. That information is then fed into other sites, which refine the attack.
“This development is disturbing for governments, enterprises and individuals,” says Finjan CTO Yuval Ben-Itzhak. “Signature-based technologies like anti-virus and URL filtering are limited against this type of attack. The number of vectors and sophisticated structure of the network of websites has been designed to by-pass traditional information security technology.
“To defend against this type of attack security solutions need to employ real-time content inspection technology that analyzes each and every piece of web content in real-time, regardless of its original source or domain name. It is also important to have proactive protection in your web security solution that is able to understand in real-time what malicious code intends to do, before it does it.”
