Finjan has examined the attacks and the mechanisms involved in executing them, and found an intricate network of connections between Chinese-based servers whose main purpose is to conduct criminal activity. Finjan have discovered that the entry points that initiate the attack on users “in the wild” exist all over the world and all are eventually associated with servers that are registered as Chinese domains.

he attackers are spreading their attacks by placing the entry points for the attack on a variety of websites, located in different regions and categorized differently by URL categorization engines. The infection consists of either an IFRAME or a SCRIPT tag being placed on the website that causes the users visiting the site to be attacked. Examples for such entry point regions are shown in the December 2007 Malicious Page of the Month Report and were found on trusted websites in the USA, China, and Western Europe, including Government and Education sites. After the victim reaches an entry point, the attackers use dynamic code obfuscation methods to limiting signature-based technologies from detecting the attack and the victim is redirected to a series of sites containing iframes that will eventually force the victim to visit a site that belongs to the Chinese network. In the first part of the actual malicious attack, the attackers are using known, as well as new, exploits that will infect the victim with a Crimeware-Trojan. After the initial Trojan is loaded it initiates the downloading of other Trojans from different locations. The victim’s compromised computer will now redirect to other sites in order to send statistical information about the infected PC. Finjan have discovered that different Trojans send encoded information to the same sites (located in China) that we identified as being unique to the attack.  For more details including actual examples of these sophisticated attacks based out of China and Central Asia, download the December 2007 Malicious Page of the Month Report.