Malicious Toolkit Hacks Computers by Effectively Evading Detection

Cyber criminals, in December 2007, used a special hacking kit with which they corrupted thousands of computers and by effectively evading detection were able to compromise them, according to Chief Technology Officer at security firm Finjan, Yuval Ben-Itzhak. InformationWeek published this in news on January 14, 2008.

In December last, Finjan established that there were at least 10,000 web servers contaminated with a harmful hacking tool known as 'random js toolkit.' One single attack by this toolkit feeds 13 separate exploits that try to infect and compromise the victim's system. The exploits are dynamic as well that alternately reflects vulnerabilities and security patches on the computer of the victim.

The hacking toolkit, designed to remain concealed from security software and researchers, is therefore particularly hard to tackle. It stores web crawlers' IP addresses that security companies and search engines use to examine web pages, thus enabling the kit to identify and feed them content.

The toolkit produces random URLs that can be used only once and which prevents blacklisting of malware-laden web pages or prevents pages from undergoing security researchers' analysis. Further, the scripts of the kit are dynamic, appearing to the visitor only once. Hackers use this kit because of its ability of anti-forensic assessment.

Attack by the 'random js' is performed with the help of dynamically-embedding scripts into web pages. It gives the content a random file name to be assessed only once. This embedding is so selective that the web page with a malicious script reaching a user cannot be referred to again on additional requests. This procedure helps to evade malware detection in future forensic analyses.

Security company Finjan discovered that the infected websites within domains were regulated under the administration of Teagames Limited and U.C Berkely. Finjan said that it informed both companies and there now are no active hacked pages.

Moreover, there are many similar hacking kits like MPack, IcePack, Dycrypt, Neosploit, Vipcrypt and Multi Exploit Pack that conduct online data reporting that helps cyber criminals to maintain track of all systems they infect. That indicates that there're a number of hacked systems to be managed.

Related article: Malicious Scripts with Zero-byte Padding can Pass Undetected

» SPAMfighter News - 1/23/2008