Server offers one-stop shopping for addresses credentials malware

Malicious code is being found more often in legitimate Web sites, infecting the computers of visitors to sites they believed they could trust. One recent study found that in the last half of 2007, legitimate sites accounted for more than half of malicious content.

In a report released today, researchers at Finjan said they have discovered how these compromises are being done. An examination of a server hosting advanced crimeware toolkits for launching attacks also revealed an application for trading stolen FTP account credentials, and a database of server addresses, user names and passwords for more than 8,700 accounts.

The credentials and crimeware make a sophisticated system for launching attacks using the software-as-a-service model being adopted in legitimate enterprises, said Finjan Chief Technology Officer Yuval Ben-Itzhak.

“This is the last piece of the puzzle,” Ben-Itzhak said. “The surprise is how mature the system they are using is.”

The findings are reported in the February edition of the Malicious Page of the Month, published by Finjan’s Malicious Code Research Center.

The trading application and harvested credentials were found while examining a server hosting a sophisticated crimeware toolkit called NeoSploit v. 2. Using the stolen credentials, criminals can use NeoSploit to inject IFRAME tags into any Web pages on the compromised server. The stolen account information includes a number of large global corporations as well as some government agencies, including at least one in the United States hosting an infected Web site for a state court. The United States had the largest number of stolen accounts, at 2,621, with the Russian Federation coming in a distant second with 1,247 stolen accounts. Accounts were found from at least 10 other countries.