Very nice article by Brian Prince on a Trojan malware that has infected a number of web sites, allegedly including Monster.com and other job search web sites.
Some quotes from Brian:
"The hackers behind the attack are running ads on the sites and injecting those ads with the Trojan. When an user views or clicks on one of the malicious ads, their PC is infected..."Moral of the story: Even reliable, trusted sites can inadvertantly host malicious material or host links to sites that do.
"...all the information entered into their browser, such as financial information entered before it reaches SSL protected sites, is captured and sent off to the hacker's server..."Moral of the story: one of the best ways to get encrypted data is to get it before it gets encrypted...
Brian quotes Don Jackson of SecureWorks: "This Trojan uses its own packer…it compresses and changes the code around," he said. "This packer is unique to this Trojan. It was written specifically for it, and the construction kit that produces the executables is very, very good at putting instruction substitutions, giving a long string of instructions for a simple task and putting garbage code or null operations in there, so that it is hard for anti-virus. Anti-virus has not been able to pick a stub…that they can identify reliably from file to file."No moral here...just fascinating how well the creators have considered the issue of camouflaging their presence.