The random js toolkit was detected while diagnosing users' Web traffic during December 2007. The random js toolkit is a JavaScript code that is created dynamically and changes every time it is being accessed. As a result, it is almost impossible to be detected by traditional signature-based anti-malware products.
"Signaturing a dynamic script is not effective. Signaturing the exploiting code itself is also not effective, since these exploits are changing continually to stay ahead of current zero-day threats and available patches. Keeping an up-to-date list of 'highly-trusted-doubtful' domains serves only as a limited defense against this attack vector," Explained Finjan CTO Yuval Ben-Itzhak.
"What's needed to counter this exploit is dynamic code inspection technology that can detect and block an attack in real time," Ben-Itzhak said. "This technology doesn't depend on the origin URL, signature or the site's reputation, but inspects the Web content in real-time, as served. It analyzes the code's intentions before enabling it be executed on the end-user browser."
Over 30,000 new infected Web pages are being created every day
Ben-Itzhak noted that the random js toolkit is an example of the recent trend among cyber criminals to undermine trusted Web sites. "In mid-year 2007, studies showed there were nearly 30,000 new infected Web pages being created every day. About 80 percent of those pages hosting malicious software or containing drive-by downloads with damaging content were located on hacked legitimate sites. Today the situation is much worse."
The random js attack is performed by dynamic embedding of scripts into a Web page. It provides a random filename that can only be accessed once. This dynamic embedding is done in such a selective manner that when a user has received a page with the embedded malicious script once, it will not be referenced again on further requests. This method prevents detection of the malware in later forensic analyses.
Research into the random js toolkit found that around 10,000 legitimate domains served the malicious code in December. Among the infected Web sites, Finjan identified highly trusted domains and alerted administrators of both sites. The malicious code was subsequently removed from the sites and is no longer active.