Finjan’s Malicious Code Research Center (MCRC) have detected malicious activity by groups that distribute their content using obfuscated code and a network of websites to bypass traditional information security technology.  Finjan investigated a very sophisticated attack that used zero-day exploits (malware for which there is no security patch) as well as other new hacking techniques and discovered a centralized group of activity based from China, one of the websites in the group belongs to a Chinese governmental office.

Finjan researchers found that some sites in the network lead to Trojan sites that exploit the users’ browser and then download the Trojan and install it on the users desktop.  Once the users PC has been infected the Trojan starts to send data to other websites in the network which are hard to detect.  Additional sites in the network monitor and control the attack using statistics about how many users visit the site and how many got infected.    The Trojans also collect data from the user, including which operating system is used, the applications that are running, their personal information such as user names and passwords, and what security systems are installed, AV, Spam, firewalls, etc.  The information collected by the Trojan network is then fed into other sites which refine the attack.

A snapshot picture showing the names of the websites and how they interlink is available at http://www.finjan.com/Pressrelease.aspx?id=228 . The names of some of the websites have been partially obscured as the sites are still active and highly malicious.  More ever, this snap shot focused on just one specific Trojan sample, while inspecting the hacker activity it was discovered that many more Trojan networks exist that use the same infection and control process.

Finjan are currently in the middle of the study, and have released this interim update due to recent reports that the Director-General of MI5 has sent a confidential letter to 300 chief executives and security chiefs at banks, accountants and legal firms in the UK last week warning them that they were under attack from Chinese state organisations.  Full details of the Finjan study will be revealed later this Month.

The various techniques used to direct users to the malicious sites in China have been revealed by Finjan in the past year, they include being directed from trusted sites that have been hacked, links from spam email, Instant Messaging infections, infected content inserted into legitimate web 2.0 sites, and copy cat domain names.   For more information on the techniques contained in Finjan’s Web Security Trends Reports visit http://www.finjan.com/Content.aspx?id=827 .