Data-theft trojans and the changing face of the Web

The long view of security strategies for your network.

In 2004, Russell Beale of the University of Birmingham penned an interesting article discussing the social changes taking place on the Web. In his summation, Professor Beale noted, "We have split the Web atom – previously atomic units were Web pages – once you'd got them you could analyze them into text and graphics, but you generally dealt in whole pages. Now our atomic unit is much smaller – we can construct things out of fragments of pages. And this makes a second difference – consumers can look only at what they want."

Worst moments in network security history.

Today, consumers are looking at far more than they bargained for. Attackers are leveraging the multi-source aspect of the modern Web site, inserting malicious content designed to silently foist malware onto unsuspecting visitors' computers. And the malware being delivered is not the prank-style virus or worm of the late 1990s: most Web-delivered malware is for data theft, intended to siphon the intellectual property and capital assets of its victims.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In 2004, Russell Beale of the University of Birmingham penned an interesting article discussing the social changes taking place on the Web. In his summation, Professor Beale noted, "We have split the Web atom – previously atomic units were Web pages – once you'd got them you could analyze them into text and graphics, but you generally dealt in whole pages. Now our atomic unit is much smaller – we can construct things out of fragments of pages. And this makes a second difference – consumers can look only at what they want."

Worst moments in network security history.

Today, consumers are looking at far more than they bargained for. Attackers are leveraging the multi-source aspect of the modern Web site, inserting malicious content designed to silently foist malware onto unsuspecting visitors' computers. And the malware being delivered is not the prank-style virus or worm of the late 1990s: most Web-delivered malware is for data theft, intended to siphon the intellectual property and capital assets of its victims.

Currently, data-theft Trojans have outpaced all other forms of malware delivered through the Web. As of May 2009, Web attacks were growing at a rate of 1% a day and were up 324% compared with May 2008. The rate of encounters with compromised Web sites resulting from those attacks also increased, up 509% in May 2009 compared with May 2007. Most concerning, Web encounters with data-theft Trojans were up 4,955% in May 2009 compared with May 2007, and up 1,424% compared with May 2008, according to ScanSafe.

Some of the key developments in the battle against data-theft Trojans are as follows:

1. Data-theft Trojans aren't limited to games. Though they may carry labels such as WoWstealer, GameThief and PSW.OnlineGames, the Trojans themselves are serious business. Data-theft Trojans silently siphon off companies' most precious assets – the intellectual property that includes designs, inventions, specifications and marketing plans. What may have been years in the making can be stolen in a matter of minutes. Expected returns on research and development costs can be severely diminished – or lost forever – when markets are suddenly flooded with counterfeit lookalikes or unexpected competitors.

2. Today's data-theft Trojans are highly configurable. Many of today's data-theft Trojans launch intermittent Address Resolution Protocol (ARP) poisoning attacks on compromised networks. The subsequent man-in-the-middle attack intercepts targeted network traffic – sniffing, tampering with, or redirecting that traffic. The illegally obtained knowledge gleaned from the ARP poisoning can be used to further configure the data-theft Trojan to target specific intellectual property or network assets.

3. Data-theft Trojans have a means to spread. Commonly, today's data-theft Trojans are facilitated by autorun worms. Though many equate the term "autorun" with removable drives only, autorun worms can spread via any discoverable drives, which includes removable, fixed and mapped drives. The autorun worm spreads by dropping a malicious autorun.inf file to the root of the drive, along with a copy of the worm. When the drive is subsequently accessed, the autorun.inf file is executed and loads the referenced copy of the worm and hence the data-theft Trojan is copied onto the new location.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.