Finjan Unveils Step-by-Step Case of Compromised Corporate Data Stolen by Cybercriminals and Stored on Remote Crimeserver
October 2008 by Finjan
In its latest Malicious Page of the Month report, Finjan provides a step-by-step example of corporate data theft by a Trojan that successfully avoided traditional passive web security solutions San Jose, CA, USA, October 29th 2008 – Finjan Inc., a leader in secure web gateway products, today announced that its Malicious Code Research Center (MCRC) has documented step-by-step how corporate data were being stolen and stored on remote servers owned by criminals. In its October 2008 Malicious Page of the Month report, Finjan describes how a corporate user, while browsing the web for his regular business needs, got infected with a Trojan.
The individual who worked for a large media company was just browsing leading consumer websites and reading news on consumer electronics products websites as part of their normal working day, but as cybercriminals had compromised some of these legitimate websites and injecting malicious code into web pages the individual downloaded a Trojan onto their PC without the knowledge of them or their organisations IT security defences. The organisation did have a URL filtering technology in place but the problem of legitimate websites being serving malware serving sites is one of the greatest challenges facing URL filtering products in today’s dynamic web environment and in this case it failed to protect the user. The media company had a second layer of defence in the form of anti virus installed at the gateway but it also failed to detect and block the Trojan due to the fact that it was obfuscated.
Once the Trojan was installed it “phoned home” to the command-and- control Crimeserver (based on the West coast of the USA) and followed the instructions to go to other domains and download additional files which also executed undetected and unknown by the innocent employee who continued to work on their email, write business plans and log into corporate systems. The additional programs logged al this activity and forwarded it to a “drop Crimeserver” (based on the East coast of the USA). This is the tale of just one of the many thousands of unfortunate individuals whose personal and corporate data was captured on the drop Crimeserver. With the data stolen criminals could log onto the email accounts of corporate executives, access supplier and payment systems, steal intellectual property
“Finjan’s analysis of live end user behaviour has revealed that 80% of the malicious code detected by behavioural based security engines is obfuscated”, said Yuval Ben-Itzhak, CTO of Finjan. “This type of attack vector can bypass signature based technology such as anti virus or intrusion detection systems which were not designed to cope with these types of dynamic web scenarios. Organisations that continue to rely on reactive security technologies put them and their users at risk.”
The report outlines in far more detail the following:
How the corporate PC got infected by the Trojan;
What happened just after the malware was installed on that corporate PC;
What the Trojan looked for on that infected PC;
Where the stolen corporate data was stored;
What type of stolen data was found on a remote server owned by the cybercriminal “Despite the existing passive web security solutions that the company was using, such as traditional anti-virus signatures and a URL-filtering database, it could not prevent this Trojan from infiltrating the network and compromising confidential data,” said Yuval Ben-Itzhak, CTO of Finjan. “This case shows once again how dynamic code obfuscation enables cybercriminals to plant “invisible” malicious code that infects a user’s machine as soon as the user visits a website with malicious content.”
The case described in the current MPOM October 2008 report, confirms the cybercrime evolution that Finjan has been following and reporting on for the last years:
· Evolution of malicious obfuscated code – MPOM September 2008
· Cybercrime organization structure and modus operandi - Web Security Trend Report Q2, 2008
· Crimeware-as-a-Service - Web Security Trend Report Q1, 2008
· Evasive attacks, designed to evade anti-virus or the URL filtering - Web Security Trend Report Q2, 2007
· Hackers play “Hide and Seek” - Web Security Trend Report Q4, 2006
· The Commercialization of malicious code – Web Security Trend Report Q2, 2006
According to Finjan, traditional web security products, such as anti-virus or URL-filtering databases, are limited in preventing today’s cybercrime attacks targeting businesses. Their passive nature consisting of attempts to match a known malicious code or URL to a database of known signatures is by its nature limited in preventing today’s attacks. A different technology is therefore needed.
Real-time content inspection is the optimal way to detect and block dynamically obfuscated code and similar types of advanced cybercrime techniques, since it analyzes and understands the code embedded within web content or files in real time - before it reaches the end-users.