Finjan Inc. reports that attackers infected at least 10,000 trusted web sites with malware last month using the Random.JS Trojan toolkit.  Random.JS is an exceptionally sneaky Trojan that infects the targeted machine and sends data from the machine back to the attackers controlling it via the Internet.  The information that is stolen includes documents, passwords, surfing habits and other forms of compromising information.

“Random.JS uses varying methods to remain undetected and keep spreading,” he said. “It is able to break antivirus signatures and store malware on legitimate sites.” The Random.JS toolkit is a piece of JavaScript code that morphs every time it is accessed, Ben-Itzhak said. As a result, it’s nearly impossible to detect with traditional signature-based anti-malware products.

The Random.JS attack is performed by dynamic embedding of scripts into a Web page, he said. It provides a random filename that can only be accessed once and is done in such a selective manner that when a user receives an infected page once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses.

The list of attack toolkits includes MPack, NeoSploit, IcePack, WebAttacker, WebAttacker2 and MultiExploit, along with newer toolkits like Random.JS, vipcrypt, makemelaugh and dycrypt.

Security vendors warn of the rising use of attack toolkits in recent months.

Are your systems protected?  Let Digital Reach assess your network security strategy.