For the second time in the past two months, a nasty new computer threat has quietly spread across the web infecting countless computers with a key-logging Trojan. Bank log-ins, PIN codes and credit card details are among the booty this piece of malware is designed to Hoover up.

What makes it so worrisome is the target: it’s infecting popular websites – 10,000 at the last count, but the number could be ten times that – according to new research by network security specialists at Finjan.

This technique of creating a minefield of infected websites that can ensnare unsuspecting surfers first emerged in late 2007. In that case, hackers temporarily turned high-profile sites belonging to the likes of The Economist and Major League Baseball into traps. A primary link to the outbreak, it was determined, was DoubleClick, the ad-serving specialist that Google is in the process of acquiring. Unbeknown to DoubleClick, the company was serving up not just banner adverts, but specially designed malware as well. The intrusion was identified and eradicated, and now DoubleClick does an extra scan of its inventory to ensure it’s only sending out adverts.

Still, the genie, it was feared then, was out of the bottle. And sure enough the latest method of installing malware on legitimate websites also involved infiltrating an ad-serving firm that serves up more than two million banner ads per day, Finjan researchers reported. (Not all of the 10,000 known infections stemmed from this ad-serving specialist, Finjan points out. Their researchers still don’t know how the remaining sites fell prey to the malware).

Finjan will not say who the ad-targeting firm is, but the firm says the victimised company is in the process of ridding the contagion from its servers. It does name two other infected sites, which illustrate the indiscriminate approach this contagion takes to infiltrating its hosts. One of the victims was the University of California, Berkeley; the other is a popular computer gaming site, Teagames.com, Finjan says. (They named these two companies out of a list of 10,000 because they quickly combed through their servers and removed the malware. There are thousands more that are in the process of doing the same.)

The malware – dubbed “random jsrootkit” by Finjan – has been ingeniously designed. The payload – in essence, the key-logging Trojan – is encrypted, making it virtually undetectable for just about all antivirus scanners. For an added level of cover, the random jsrootkit constantly changes names every time it embeds itself inside an infected host. The aim of creating so many calling cards is to circumvent being placed on a malware blacklist. For good measure, it is programmed to infect a computer user just once, again to avoid triggering any red flags among malware sentinels.

“This is a very smart program,” Yuval Ben-Itzhak, chief technology officer of the San Jose-based IT security firm, says. It’s really trying to fool everybody and hide itself from everything that is out there today in the anti-virus market.

“The goal for these hackers is to have the malicious code up and running for as long as possible so they can continue to infect machines and collect information,” Mr Ben-Itzhak says.

It’s the primary difference of today’s hacking scourge: the stealthy approach is more valuable to crime gangs who can quietly bide their time and collect as much detail as they can before detection. It has given rise to a new name in security circles: malware as “crimeware”.

The biggest problem with fighting crimeware of this nature is that we are armed with the wrong kind of defence. Antivirus software is designed to identify and quarantine known threats, but constantly morphing Trojans, or worse, ones with encrypted payloads, will slip through filters nearly every time.

This is beginning to generate a new discussion in network security circles about how best to fortify internet users and websites from these types of intrusions. The conclusion many are drawing is that antivirus software is simply not enough, a worrying sign when you consider that so many personal computers continue to run without any type of antivirus software at all.

While security experts debate the best approach, you can be sure the crimeware gangs will be busy too, developing yet another sneaky piece of code that quietly slips by our defences and bides its time until its master instructs it to go to work.

---

Bernhard Warner, a freelance journalist and media consultant, writes about technology, the internet and media industries. He can be reached at techscribe@gmail.com