Thousands of legitimate Web sites are hosting an infection kit that evades detection by attempting to compromise each visitor only once and using a different file name each time, Web security firm Finjan warned on Monday.
The attack, dubbed the "Random JS toolkit" by the security firm, currently uses dozens of hosting servers and more than 10,000 legitimate domains to attempt to exploit the systems of visitors to the sites, the company said in an analysis posted to its Web site. The compromised sites host the malicious code -- foregoing the iframe redirect that has increasingly been used by attackers -- and serves up the attack to each visitor only once using a random file name each time. The two techniques, along with more traditional code obfuscation, makes the attack difficult to find, said Yuval Ben-Itzhak, chief technology officer for Finjan.
"This attack uses three different methods to go undetected by signature-based or URL-based defenses," Ben-Itzhak said. "If you realize that you've been infected, and you go and search sites, you will not be able to find the site that infected you."
The actual malicious code served to visitors by the sites compromised by the Random JS Toolkit attempts to exploit computers using 13 different vulnerabilities, the company said. The Trojan horse program steals the victim's login credentials to access online banks. The software uses encrypted communications to a number of sites hosted in the United States to return the information to the criminal group behind the attack, the analysis found.
