Yuval Ben-Itzhak, the CTO of Finjan, a leader in secure web gateway products, has warned IT managers in companies of all sizes to be on the look-out for a wave of Trojans, and to protect their IT resources and business data against this growing form of crimeware.
Ben-Itzhak's warning comes in the wake of reports of a $1,000 crimeware development kit, including a Trojan, being sold to would-be hacker criminals.
The new variant, “Prg”, researched by Finjan’s Malicious Code Research Center (MCRC) and also noted by Don Jackson of managed security specialist SecureWorks, relays sensitive data collected during employees’ online activity to hacker websites, using SSL-encrypted format. Finjan’s MCRC found criminals’ servers in Panama.
Jackson's research suggests that the crimeware has been modified using a Trojan development kit to listen for hacker commands on a special TCP/IP port. These commands allow the hacker to gain remote control of the compromised system. Jackson’s analysis of log files on the servers storing the stolen data found that information was coming from corporate PCs, as noted in his report.
"This trend highlights the alarming growth of crimeware toolkits being sold to criminals by hackers. Such crimeware is focusing on stealing sensitive business data and sending it back to criminals’ servers over encrypted communication channels like SSL, in order to go undetected", said Ben-Itzhak.
Ben-Itzhak went on to say that, “IT managers need to be aware of this latest evolution in crimeware, as Finjan’s research confirms that attempts to pattern malicious code and create signatures, or to categorize known malicious sites, are clearly “too little, too late” when it comes to providing adequate protection to today’s dynamic and evasive web threats.
The way to detect modern malicious code is to be able to understand in real-time what the code intends to do, before it does it,” concludes Ben-Itzhak.
Finjan offers the following advice for corporate users:
- Check your vendor’s research capabilities and their ability to provide up-to-date information which is immediately translated into actionable security measures.
- Examine your egress data policy to make sure that you cover all known and suspicious sites.
- Make sure that real-time inspection and protection is added to your web security solution. Chasing the attack vectors after the event is always “too little, too late”, particularly if you get hit by a new Trojan that your security solution does not recognize.
- Make sure that your security solution is updated to handle new technologies and trends. Security products should protect you from the vulnerabilities rather than just attacks and exploits.