Security firm: Samsung site hosts Trojan

Malware that steals access codes sits on Samsung server and is spread by malicious spam and IM, Websense says.

Munir Kotadia Special to CNET News

Sept. 8, 2006 6:07 p.m. PT

3 min read

Samsung Electronics' U.S. Web site is hosting a Trojan horse that logs keystrokes, disables antivirus applications and steals online banking access codes, according to Internet security company Websense.

"Currently, there is no exploit code on the Web site that attempts to trigger a download of the file without user interaction," Websense said in an alert this week. "The site is hosting and most likely distributing files to users who are lured through instant messaging or e-mail links."

Joel Camissar, Australian country manager for Websense, told ZDNet Australia that Samsung has been informed about the issue but has not yet removed the offending files.

"As of (Friday morning Sydney time), the malicious code on the Web site was still active," he said.

According to Websense's alert, the site "has been hosting a number of directories and files which, when downloaded and run, install malicious code on end-users' machines. The server appears to have been compromised and has been hosting a variety of files for some time."

Camissar acknowledged it was possible that the hackers who compromised Samsung's server would have been able to modify the company's Web site so that visitors using a vulnerable browser would become automatically infected with the malicious software.

"Why not hack into a site that people are visiting that is a trusted brand? Trust is so important these days. People are being preached to by banks not to trust links (in unsolicited e-mails)--that is something people are starting to follow. So if one does go to a site that is trusted, it is certainly a very easy way for hackers to compromise users," Camissar said.

Earlier this week, Dave Cole, director of Symantec Security Response, warned on his blog that hackers are exploiting Web technologies such as Ajax and JavaScript to compromise "trusted" Web sites with malicious software.

"It's worth noting that most high-impact attacks may be performed on popular sites where someone has embedded an attack in an otherwise benign location for user-created content, advertisements, or comments. Sure, there will be enticements to bring people to outright nasty sites loaded with exploits, but a more successful and insidious attack would leverage a person's trust of an already known, popular site," wrote Cole.

Cole said these kinds of attacks are still in the early stage. "From port scanning to fingerprinting and basic network mapping, all done using the Ajax group of technologies, it's clear that we've only begun to see what's possible via malicious Web sites," he wrote.

"While they may not have the immediate impact of a WMF-style vulnerability (i.e.: remote admin-level control), they leave no trace once the browser is closed and don't rely on a researcher uncovering a Godzilla-style hole in a popular Web browser," he added.

Last month, the School of Media, Film and Theater at the University of New South Wales acknowledged that one of its Mac servers had been compromised and used to host a potentially malicious file, which was disguised as a Microsoft security patch.

Samsung was unavailable for comment.

Munir Kotadia of ZDNet Australia reported from Sydney.