Increased Malicious Activity Coming Out of China

Finjan Inc. announced important findings by its Malicious Code Research Center (MCRC) which have identified increased malicious activity coming out of China recently.  Finjan has examined the attacks and the mechanisms involved in executing them, and found an intricate network of connections between Chinese-based servers whose main purpose is to conduct criminal activity.  Finjan have discovered that the entry points that initiate the attack on users "in the wild" exist all over the world and all are eventually associated with servers that are registered as Chinese domains.

The attackers are spreading their attacks by placing the entry points for the attack on a variety of websites, located in different regions and categorized differently by URL categorization engines. The infection consists of either an IFRAME or a SCRIPT tag being placed on the website that causes the users visiting the site to be attacked.

Examples for such entry point regions are shown in the December 2007 Malicious Page of the Month Report and were found on trusted websites in the USA, China, and Western Europe, including Government and Education sites.

After the victim reaches an entry point, the attackers use dynamic code obfuscation methods to limiting signature-based technologies from detecting the attack and the victim is redirected to a series of sites containing iframes that will eventually force the victim to visit a site that belongs to the Chinese network. In the first part of the actual malicious attack, the attackers are using known, as well as new, exploits that will infect the victim with a Crimeware-Trojan.