Server offers one-stop shopping for addresses, credentials, malware
- By William Jackson
- Feb 27, 2008
Malicious code is being found more often in legitimate Web sites, infecting the computers of visitors to sites they believed they could trust. One recent study found that in the last half of 2007, legitimate sites accounted for more than half of malicious content.
In a report released today, researchers at Finjan said they have discovered how these compromises are being done. An examination of a server hosting advanced crimeware toolkits for launching attacks also revealed an application for trading stolen FTP account credentials, and a database of server addresses, user names and passwords for more than 8,700 accounts.
The credentials and crimeware make a sophisticated system for launching attacks using the software-as-a-service model being adopted in legitimate enterprises, said Finjan Chief Technology Officer Yuval Ben-Itzhak.
'This is the last piece of the puzzle,' Ben-Itzhak said. 'The surprise is how mature the system they are using is.'
The findings are reported
in the February edition of the Malicious Page of the Month, published by Finjan's Malicious Code Research Center.
The trading application and harvested credentials were found while examining a server hosting a sophisticated crimeware toolkit called NeoSploit v. 2. Using the stolen credentials, criminals can use NeoSploit to inject IFRAME tags into any Web pages on the compromised server. The stolen account information includes a number of large global corporations as well as some government agencies, including at least one in the United States hosting an infected Web site for a state court. The United States had the largest number of stolen accounts, at 2,621, with the Russian Federation coming in a distant second with 1,247 stolen accounts. Accounts were found from at least 10 other countries.
The malicious software supports multiple users, providing everything needed for an exploit that can allow cybercriminals to infect computers for recruitment into botnets, theft of data and launching additional attacks.
'Each user gets a package of malicious URLs for his use only,' the report says. 'This package includes the location of the attack exploit code and the crimeware Trojan for download.' The new version of NeoSploit enables the delivery of a Trojan version specific to the country the visitor is coming from.
'Software-as-a-service has been evolving for some time, but until now it has been applied only to legitimate applications,' Ben-Itzhak said. 'With this new trading application, cybercriminals have an instant solution to their problem of gaining access to FTP credentials and thus infecting both the legitimate Web sites and its unsuspecting visitors. All of this can be achieved with just one push of a button.'
The server hosting the applications and information is located in Asia and some of the pages are in Russian, but it does not appear to be in Russia, Ben-Itzhak said. 'We don't know who is behind it.'
Finjan has notified a number of organizations whose FTP account information had been compromised. Security personnel wishing to inquire if their credentials are among those that have been stolen can contact Finjan
William Jackson is a Maryland-based freelance writer.