Research from web security firm Finjanhighlighted a worrying trend in hacking emerging from
China.
Researchers warned that businesses around the world were at risk
from a new breed of Trojan that existing signature-based anti-virus
software and URL-based web monitoring systems were unable to
protect against.
The sophisticated attacks, which are distributed using a network
of websites, use
zero-day exploits (malware for which there is no security
patch) as well as other
new hacking
techniques. The purpose of the viruses is to steal sensitive
data.
Once a user's PC has been infected the Trojan starts to send
data to other websites in the network, which are difficult to
detect. Additional sites in the network monitor and control the
attack using statistics about how many users are visiting the site
and how many are being infected.
Data collected by the Trojans includes which operating system is
used, the applications that are running, users' personal
information, such as log-in names and passwords, and what security
systems, anti-virus software, spam filters and firewalls are
installed. This information is then fed into other sites in the
attackers' network, which refine the virus.
Anti-virus software
Business rely on anti-virus products to protect networks and
PCs. The most widely used form of anti-virus software relies on a
database containing the electronic signatures of known viruses. By
identifying these signatures, viruses can be blocked at the
perimeter before they enter an organisation's network.
Finjan said this type of signature-based anti-virus software is
unable to protect users against the new type of attack.
Chief technology officer Yuval Ben-Itzhak said, "To have a
signature for your anti-virus software, a researcher needs to
create a signature. But each time this Trojan is downloaded, a new
version of the virus is created."
It would be impossible for an anti-virus company to produce
signature file updates fast enough to stem this type of computer
virus, said Ben-Itzhak. The virus would simply evolve to a form an
unrecognised signature file, and so it would pass through corporate
defences undetected.
One possible defence would be to use website monitoring tools to
block the websites distributing the viruses. Such tools work in a
similar way to anti-virus software, with malicious sites only being
blocked once they have been identified.
Although this may slow the spread of the virus, Ben-Itzhak said,
"The website URLs are being changed dynamically, so you will never
be able to keep your website monitoring database up to date.
Hackers will change the location of the malicious code."
A more effective defence would be to use
heuristics. This works by monitoring virus behaviour rather
than relying on a signature file. As a result, any malicious code
that appears to exhibit virus-like tendencies will be flagged.
In theory, heuristics should enable IT departments to detect any
new virus attack, but it is not without its problems.
In the past, heuristics systems have suffered from poor
performance, because suspect code needs be analysed, rather than
simply checked against an anti-virus signature. Also, heuristic
scanning has been prone to wrongly identify legitimate software as
a virus.
Olympics danger
These issues, combined with the fact that signature-based
anti-virus systems have been coping fairly well, have meant that
heuristics has remained fairly niche. However, as the world tunes
in to the
Beijing Olympics later this year, information security managers
may be forced to reassess the technology.
The Trojans identified by Finjan emanate from a group of
websites based in China, and there is a very real threat of hackers
hijacking Olympics sites, or creating fake sites around the Games
to distribute their malware. This potential threat is highlighted
by the fact that one of the websites in the group currently
distributing the Trojans belongs to a Chinese governmental
office.
The good news is that, although the technology has not been
making the headlines, heuristics anti-virus detection has been
evolving in the labs. And 2008 could be a proving ground and the
first widescale test of its abilities.