Finjan Identifies Trojan 2.0 a New Genre of Crimeware
December 2007 by Finjan
Finjan Inc. announced important findings by its Malicious Code Research Center (MCRC) which have identified a new genre of crimeware Trojans. Utilizing regular Web 2.0 technology and websites to provide cybercriminals with an easy and scalable command and control scheme, the latest “Trojan 2.0” attacks exploit the trust that legitimate web services enjoy vis-a-vis reputation-based security services. As such, they enable criminals to further capitalize on the web as the most effective attack vector for a wide range of illegitimate and malicious activities – including botnet delivery of spam, identity theft through keylogging, highly sophisticated financial fraud, corporate espionage, and business intelligence gathering. Finjan’s findings on the crimeware upgrades to Trojan 2.0 are detailed in its Web Security Trends Report (Q4 2007) http://finjan.com/content.aspx?id=827 released today.
“Criminals and attackers are arming their crimeware Trojans with new covert communication channels designed to evade detection by traditional security products,” said Finjan CTO Yuval Ben-Itzhak. “Since this model uses legitimate websites and domains for distributing instructions to botnets, these communications appear as regular web traffic, and in most cases cannot be detected by enterprises’ existing security solutions. The advancements made in Trojan technology compel businesses to upgrade their web security solutions. Products that rely on real-time inspection and true understanding of the underlying web content, rather than reputation-based or signature-based solutions, are best equipped to handle these types of threats.”
New threats in 2008 will leverage advanced Web 2.0 techniques and services
The latest report from Finjan MCRC also provides a forecast of what Finjan expects for the web security space in 2008. As email-borne attacks continue to diminish – except for spam – and the web consolidates its claim as cybercriminals’ favorite vector of attack, the web channel will continue to evolve. The stage is set for cybercriminals to leverage Web 2.0 technologies (e.g., RSS feeds, social networks, blogs and mashups) to reach new levels of technological sophistication. New types of upgraded attacks, such as Trojan 2.0, will use the web as a control channel for communicating with botnets, taking advantage of the very trust that users have been conditioned to place in their traditional security vendors (e.g., anti-virus, URL reputation, etc).
“Building on the trend over the past year whereby financial reward has been driving the evolution of malicious code, 2008 will bring new threats that leverage advanced Web 2.0 techniques and services,” said Ben-Itzhak. “Attacks will become more sophisticated by combining several services in order to heighten infection ratios and decrease the detection rate, while providing more robust and scalable attack frameworks. The focus will be on Trojan technology as it enables maximum flexibility in terms of command and control. This adds another potentially malicious element to the ‘legitimate’ web traffic that needs to be examined by security solutions. We will cover these and other relevant topics in our upcoming 2008 quarterly Web Security Trends Reports, as well as providing ‘in the wild’ examples based on our ongoing research activities.”
Q3 Report Follow-Up: Problematic Widgets and Gadgets
The previous report (Q3 2007) explored vulnerabilities discovered in widgets and gadgets – small applications that typically provide visual information or access to frequently used functions. Recent examples of vulnerable widgets show that Finjan’s assessment of this problem was accurate. In Finjan’s view, since these add-ons are usually not considered business critical applications, enterprises should enforce a strict policy on using widgets and widget engines. “This attack vector could have a major impact on the industry, potentially exposing corporations to a vast array of new security considerations that need to be dealt with,” Ben-Itzhak said. “To ensure the integrity of their information assets, businesses require security solutions that are capable of analyzing code in real time and detecting malicious code appearing in such innovative attack vectors.”
2007 at a glance – Finjan’s forecast vs. reality
The latest Web Security Trends Report also includes a review of Finjan’s predictions for 2007 – outlined in its Q4 2006 Trends Report – and how they fared, as well as a summary of trends identified by Finjan in the first two quarters of 2007. These highlights serve to provide an overview of key web security trends for 2007. They include discussions of:
Universal pervasiveness of malicious code. Malicious code tends to appear on major hosting sites in order to gain proximity to major Internet communities such as the US, UK and Canada. Hackers are no longer “localizing” and hosting code in what used to be considered the “dark side” of the Internet (former Soviet Union countries, Southeast Asia, etc.). On the contrary, developed countries with relatively advanced cybercrime laws are still at the top of the list for hosting malicious code. One Finjan study found that over 80% of the URLs containing malicious code are hosted on servers in the United States, with the UK responsible for almost 10%, followed by Canada and Germany with 1-2% each. Moreover malicious code is just as likely to be found in legitimate website categories (e.g., Finance, Travel and Computing) as in questionable categories (e.g., adult, free downloads); upwards of 80% of the malicious code detected was found in URLs categorized as “Advertising.” “This means that security products that rely solely on URL categories to block access to sites are basically rendered useless,” Ben-Itzhak said.
During 2007 several Advertising networks were found as distributing Ads referencing malicious content.
Evasive attacks and financial crime networks. Finjan’s research in Q2 2007 provided additional confirmation that malicious code has become a business and its evolution is being driven by commercial and financial interests. Cybercriminals are willing to pay large sums of money for the bank account details, credit card numbers and social security IDs collected by hackers using malicious code. As hackers are getting paid according to the number of users they infect, their primary motivation is to develop attacks that go undetected for as long as possible. This in turn has led them to develop technological improvements and sophisticated techniques designed to evade traditional security solutions, including a new genre of highly sophisticated attacks designed to evade signature-based and database-reliant security methods. These attacks represent a quantum leap for hackers in terms of their technological sophistication, and pose a serious challenge to the IT community.
Concludes Ben-Itzhak: “The trends described in this report reflect the way we sees the web security field evolving in the near future in terms of utilizing the full power of Web 2.0 to conduct malicious activities by utilizing legitimate websites and technologies. The fact that attackers continue to adapt legitimate technologies to support their criminal activities indicates how meticulously they are monitoring current security vendor technology. Their quickness and agility in applying new attack techniques has given them an edge – at least for the time being – over traditional security vendors.”