Finjan reveals new Trojan activity involves Chinese Government website

Farnborough, United Kingdom, 3rd December, 2007

Finjan Inc., a leader in secure web gateway products, has recently conducted a study prompted by the increased volume of attacks coming from China.  The study maps how users’ PCs are infected by Trojans distributed from China and details some of the sites that are involved in the process.  Finjan’s Malicious Code Research Center (MCRC) have detected malicious activity by groups that distribute their content using obfuscated code as well as a network of websites which bypass traditional information security technology.  Finjan investigated a very sophisticated attack that used zero-day exploits (malware) as well as other new hacking techniques and discovered a centralized group of activity based in China. In fact, one of the websites in the group belongs to a Chinese government office.

Finjan researchers found that some sites in the network lead to Trojan sites that exploit the users’ browser by downloading the Trojan and installing it on the users’ desktop.  Once the users’ PC has been infected, the Trojan starts to send data to other websites in the network.  Additional sites in the network monitor and control the attack using statistics as to how many users visit the site and how many got infected.    The Trojans also collect data from the user, including which operating system is used, the applications that are running, their personal information such as user names and passwords, and what security systems are installed, AV, Spam, firewalls, etc.  The information collected by the Trojan network is then fed into other sites which refine the attack.

A snapshot picture showing the names of the websites and how they interlink is available below. The names of some of the websites have been partially obscured as the sites are still active and highly malicious.  Moreover, this snapshot focused on just one specific Trojan sample. However, while inspecting the hacker activity it was discovered that many more Trojan networks exist that use the same infection and control process.

Click to enlarge

”This development is disturbing for governments, enterprises and individuals alike.”  Finjan CTO Yuval Ben-Itzhak, continued, “Signature-based technologies like Anti-virus and URL Filtering are limited against this type of attack. The number of vectors and sophisticated structure of the network of websites has been designed to bypass traditional information security technology based on signatures and URL filtering.  To defend against this type of attack, security solutions need to employ real-time content inspection technology that analyzes each and every piece of web content in real-time, regardless of its original source or domain name.  It is also important to have proactive protection in your web security solution that is able to understand in real-time what malicious code intends to do, before it does it.

Finjan is currently in the middle of the study, and has released this interim update due to recent reports that the Director-General of MI5 has sent a confidential letter to 300 chief executives and security chiefs at banks, accountants and legal firms in the UK last week warning them that they were under attack from Chinese state organisations.  Full details of the Finjan study will be revealed later this month.

The various techniques used to direct users to the malicious sites in China have been revealed by Finjan in the past year. These include being directed from trusted sites that have been hacked, links from spam email, Instant Messaging infections, infected content inserted into legitimate web 2.0 sites, and copycat domain names.   For more information on the techniques contained in Finjan’s Web Security Trends Reports visit http://www.finjan.com/Content.aspx?id=827.

About MCRC
Malicious Code Research Center (MCRC) is the leading research department at Finjan, dedicated to the research and detection of security vulnerabilities in Internet applications, as well as other popular programs.  MCRC’s goal is to stay steps ahead of hackers attempting to exploit open platforms and technologies to develop malicious code such as Spyware, Trojans, Phishing attacks, worms and viruses.  MCRC shares its research efforts with many of the world’s leading software vendors to help patch their security holes.  MCRC is a driving force behind the development of next generation security technologies used in Finjan’s proactive web security solutions.  For more information, visit our MCRC subsite.

About Finjan
Finjan is a global provider of secure web gateway solutions for the enterprise market.  Our real-time, appliance-based web security solutions deliver the most effective shield against web-borne threats, freeing enterprises to harness the web for maximum commercial results.  Finjan’s real-time web security solutions utilize patented real-time content inspection technology to repel all types of threats arriving via the web, such as spyware, phishing, Trojans, obfuscated code and other malicious code, securing businesses against unknown and emerging threats, as well as known malware.  Finjan's security solutions have received industry awards and recognition from leading analyst houses and publications, including IDC, Butler Group, SC Magazine, eWEEK, CRN, ITPro, PCPro, ITWeek, Network Computing, and Information Security.  With Finjan’s award-winning and widely used solutions, businesses can focus on implementing web strategies to realize their full organizational and commercial potential.  For more information about Finjan, please visit www.finjan.com.

© Copyright 1996-2007. Finjan Software Inc. and its affiliates and subsidiaries. All rights reserved.
All text and figures included in this publication are the exclusive property of Finjan and are for your personal and non-commercial use. You may not modify, copy, distribute, transmit, display, perform, reproduce, publish, license, create derivative works from, transfer, use or sell any part of its content in any way without the express permission in writing from Finjan. Information in this document is subject to change without notice and does not present a commitment or representation on the part of Finjan. The Finjan technology and/or products and/or software described and/or referenced to in this material are protected by registered and/or pending patents including U.S. Patents No. 6092194, 6154844, 6167520, 6480962, 6209103, 6298446, 6353892, 6804780, 6922693, 6944822, 6993662, 6965968, 7058822, 7076469, 7155743, 7155744, 7185358 and may be protected by other U.S. Patents, foreign patents, or pending applications.
Finjan, Finjan logo, Vital Security, Vulnerability Anti.dote and Window-of-Vulnerability are trademarks or registered trademarks of Finjan Inc., and/or its affiliates and subsidiaries. All other trademarks are the trademarks of their respective owners.

Media Contacts