The study maps how users PCs are being infected by Trojans distributed from China that then steal data from organizations and details some of the sites that are involved in the process.  Finjan’s Malicious Code Research Center (MCRC) have detected malicious activity by groups that distribute their content using obfuscated code and a network of websites to bypass traditional information security technology.  Finjan investigated a very sophisticated attack that used zero-day exploits (malware for which there is no security patch) as well as other new hacking techniques and discovered a centralized group of activity based from China, one of the websites in the group belongs to a Chinese governmental office.

Finjan researchers found that some sites in the network lead to Trojan sites that exploit the users’ browser and then download the Trojan and install it on the users desktop.  Once the users PC has been infected the Trojan starts to send data to other websites in the network which are hard to detect.  Additional sites in the network monitor and control the attack using statistics about how many users visit the site and how many got infected.    The Trojans also collect data from the user, including which operating system is used, the applications that are running, their personal information such as user names and passwords, and what security systems are installed, AV, Spam, firewalls, etc.  The information collected by the Trojan network is then fed into other sites which refine the attack.

A snapshot picture showing the names of the websites and how they interlink is available at http://www.finjan.com/Pressrelease.aspx?id=228 . The names of some of the websites have been partially obscured as the sites are still active and highly malicious.  More ever, this snap shot focused on just one specific Trojan sample, while inspecting the hacker activity it was discovered that many more Trojan networks exist that use the same infection and control process.

”This development is disturbing for governments, enterprises and individuals alike.”  Finjan CTO Yuval Ben-Itzhak, continued, “Signature-based technologies like Anti-virus and URL Filtering are limited, against this type of attack, the number of vectors and sophisticated structure of the network of websites has been designed to by-pass traditional information security technology based on signatures and URL filtering.  To defend against this type of attack security solutions need to employ real-time content inspection technology that analyzes each and every piece of web content in real-time, regardless of its original source or domain name.  It is also important to have proactive protection in your web security solution that is able to understand in real-time what malicious code intends to do, before it does it.  

Finjan are currently in the middle of the study, and have released this interim update due to recent reports that the Director-General of MI5 has sent a confidential letter to 300 chief executives and security chiefs at banks, accountants and legal firms in the UK last week warning them that they were under attack from Chinese state organisations.  Full details of the Finjan study will be revealed later this Month.

The various techniques used to direct users to the malicious sites in China have been revealed by Finjan in the past year, they include being directed from trusted sites that have been hacked, links from spam email, Instant Messaging infections, infected content inserted into legitimate web 2.0 sites, and copy cat domain names.  

About MCRC

Malicious Code Research Center (MCRC) is the leading research department at Finjan, dedicated to the research and detection of security vulnerabilities in Internet applications, as well as other popular programs.  MCRC’s goal is to stay steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as Spyware, Trojans, Phishing attacks, worms and viruses.  MCRC shares its research efforts with many of the world’s leading software vendors to help patch their security holes.  MCRC is a driving force behind the development of next generation security technologies used in Finjan’s proactive web security solutions.  For more information, visit the MCRC subsite.

About Finjan

Finjan is a global provider of secure web gateway solutions for the enterprise market.  Our real-time, appliance-based web security solutions deliver the most effective shield against web-borne threats, freeing enterprises to harness the web for maximum commercial results.  Finjan’s real-time web security solutions utilize patented real-time content inspection technology to repel all types of threats arriving via the web, such as spyware, phishing, Trojans, obfuscated code and other malicious code, securing businesses against unknown and emerging threats, as well as known malware.  Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including IDC, Butler Group, SC Magazine, eWEEK, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security.  With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential.