New wave of Web threats emanates from China
By Yuval Ben-Itzhak
How serious is it? Consider that the United Kingdom’s intelligence service, MI5, recently sent a confidential letter to 300 chief executives and security chiefs at banks, accounting and legal firms in the UK warning that they were under attack from hackers from China. Governments of other nations have also pinpointed China as a prominent source of malicious activity. What’s more, the infamous "Russian Business Network" of hackers has begun to expand beyond its St. Petersburg base of operations to Internet servers in China and Taiwan.
Much of the malicious activity involves "Trojans" that infect PCs and other end-user devices, and send data from the machine via the Internet to the Trojan's "master." The hacker activity is managed overall by a network of malicious sites that use a plethora of techniques to elude detection by many commonly implemented IT security technologies.
What’s especially insidious about these Trojan attacks is that they can originate with a visit to a trusted Web site. In fact, the attackers are placing entry points for many attacks on a variety of hosts located in different geographic regions and categorized differently by URL categorization engines. These entry points are located not only in China, but also in the U.S. and Western Europe, and they include trusted .gov and .edu sites.
Once a user has been led to a malicious site, the site exploits the users’ browser to download the Trojan and install it on the user’s machine. The infected PC then starts to send data to other Web sites in the hacker network, including user names and passwords embedded in security software such as anti-virus, anti-spam, firewalls, etc. The information collected by the Trojan network is then fed into other sites which manage and refine the attack.
These stealthy attacks leave no visible damage on the user’s machine. They may simply insert a line of code that points to malicious code on an external server. The upshot is that any user who visits such a Web site may be making available his or her personal identity, bank account details and credit card numbers to the criminals behind these illicit operations.
Some of the most sophisticated attacks use "zero-day exploits" -- malware for which there is no security patch. As a result, signature-based technologies like anti-virus tools and URL filtering are of limited value against this type of attack. These technologies attempt to pattern the malicious code and create signatures, or to categorize known malicious sites. But the complexity and sophistication of the hacker network of Web sites is designed to elude such technologies.
To defend against this type of attack, security solutions need to employ real-time content inspection technology which analyzes each and every piece of Web content for potential malicious intent. Anything else might be "too little, too late," when it comes to providing adequate protection against the evasive Web threats emanating from China and elsewhere.
Yuval Ben-Itzhak is Chief Technology Officer of Finjan Inc. He can be reached at: .
- Add your comment
- trackback url: http://www.gsnmagazine.com/cms/trackback/686-1
