Businesses around the world are at risk from attacks distributed in China and existing signature-based anti-virus software and URL-based web monitoring may not be enough to protect end-users, researchers have warned.
A study from Finjan, a supplier of secure web gateway products, has reported that users' PCs are being infected by Trojans distributed from China. The company's Malicious Code Research Center (MCRC) has detected malicious activity by groups that distribute their content using a network of websites to bypass traditional information security technology.
The researchers uncovered a sophisticated attack that used zero-day exploits (malware for which there is no security patch) as well as other new hacking techniques. They also discovered a centralised group of activity based from China. One of the websites in the group belongs to a Chinese governmental office.
The research found that these infected PCs are stealing data from organisations. Once the user's PC has been infected the Trojan starts to send data to other websites in the network which are hard to detect. Additional sites in the network monitor and control the attack using statistics about how many users visit the site and how many got infected. The Trojans also collect data from the user, including which operating system is used, the applications that are running, users' personal information, such as user names and passwords, and what security systems are installed, anti-virus software, spam filters and firewalls. The information collected by the Trojan network is then fed into other sites, which refine the attack.
Signature-based antivirus software is unable to protect users against this attack, Finjan chief technology officer Yuval Ben-Itzhak said. "In order to have a signature for your anti-virus software, a researcher needs to create a signature. But each time it is downloaded a new version of the Trojan is created."
IT directors will also be unable to block access to malicious website, Ben-Itzhak warned. "The website URLs are being changed dynamically so you will never be able to keep your website monitoring database up to date. Hackers will change the location of the malicious code."