Remember LINKOPTIM, which exploited a number of legitimate Italian Web sites to spread malicious JavaScripts? Since early Saturday morning (June 16, 2007), Trend Micro has been receiving several reports of a new batch of hacked Italian Web sites that trigger a series of malware downloads once a user visits them. These infection series begin with a malicious IFRAME tag. Trend Micro detects Web pages hosting the said malicious tag as HTML_IFRAME.CU. All the compromised sites are hosted in Italy and, to date, Trend Micro has identified more than 3,000 affected Web sites.
Here’s a sample screenshot of the IFRAME tag:
Most of the legitimate Web sites that were compromised by the malware authors are related to tourism, automotive industry, movies and music, tax and employment services, some Italian city councils, and hotels sites. Apparently, most of these sites are hosted on one of the largest Web hoster/provider in Italy.
Below is a sample screenshot of a compromised Web site:
Once the user visits any of the said Web sites, the affected computer is directed to another IP address that contains the malicious JavaScript detected by Trend Micro as JS_DLOADER.NTJ. This JavaScript then downloads a new member in the infection series detected as TROJ_SMALL.HCK. Trying to cause a buffer overflow on the user’s Internet browser, JS_DLOADER.NTJ exploits browser vulnerabilities. Through this, it is able to download TROJ_SMALL.HCK. On initial testing, TrendLabs researchers observed that this malicious JavaScript appears to be “browser-aware” in that it can choose which vulnerability to take advantage of depending on the browser.
TROJ_SMALL.HCK, in turn, downloads TROJ_AGENT.UHL and TROJ_PAKES.NC. TROJ_AGENT.UHL can act as a proxy server that allows a remote user to anonymously connect to the Internet via an infected computer. TROJ_PAKES.NC, on the other hand, is dumped in the user’s temporary folder and downloads the keylogging information thief TSPY_SINOWAL.BJ.
A diagram of the attack scenario is found below:
Another important factor in this Italian attack is the involvement of the malware toolkit Mpack, specifically its version 0.86. On the IP page where the affected browser is initially redirected, an Mpack statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the Mpack host where the download chain begins.
Multiple middlemen, in what looks like an attempt to steal information, is not new especially in this era of Web threats. Other threat incidents, some implicated in botnet investigations, have been known to use a slew of malware to deploy the entire plan of attack. However, what is especially interesting in this “Italian job” is how such a lot of the Web sites have been compromised in such a short period of time, possibly even at one go.
In terms of social engineering, it seems the authors behind this attack have come up with the perfect crime. Without the awareness gathered from security company reports, users will have no qualms accessing the said Web sites especially since most have been known to be relatively safe and legitimate prior to this incident. Among the top hacked sites are related to fashion, some have adult content, and several online communities with varied interests. It is possible that the malware authors are banking on an increase in user traffic due to the coming Italian holiday season, when users are expected to pursue more socially-inclined interests beyond work or school.
Further complications may amplify the impact of this attack, considering that the malicious server that hosts JS_DLOADER.NTJ may be updated at any given time by the malware authors, possibly giving the script new and improved capabilities, or other stealth mechanisms. Also, a newer version of MPack v.86 has been discovered, and may in fact be used in conjunction with the planted codes to perpetrate more nefarious activities.
As stated above, Trend Micro already detects all malicious codes and files, and blocks malicious URLs involved in this scheme.
Update : As of 8:22 PM (GMT +0800) June 19, 2007 we have received reports of about 3000++ compromised sites.
June 18th, 2007 at 9:45 am
[...] Here’s a diagram of the attack scenario from Trend Micro’s Carolyn Guevarra: [...]
June 18th, 2007 at 11:57 am
[...] antivirus firm Trend Micro is warning in its blog of a large Trojan attack that has proven especially troublesome for computers in Italy. The attack involved a blizzard of [...]
June 18th, 2007 at 1:46 pm
[...] antivirus firm Trend Micro is warning in its blog of a large Trojan attack that has proven especially troublesome for computers in Italy. The attack involved a blizzard of [...]
June 18th, 2007 at 1:53 pm
[...] and by Monday morning, more than 10,000 Web sites had been compromised, according to security firms Trend Micro and [...]
June 18th, 2007 at 2:18 pm
[...] and by Monday morning, more than 10,000 Web sites had been compromised, according to security firms Trend Micro and [...]
June 18th, 2007 at 3:58 pm
[...] and by Monday morning, more than 10,000 Web sites had been compromised, according to security firms Trend Micro and [...]
June 18th, 2007 at 4:59 pm
[...] and by Monday morning, more than 10,000 Web sites had been compromised, according to security firms Trend Micro Inc. and Websense Inc. 80 percent of the infections are on Italian Web sites. Almost all of the Web [...]
June 18th, 2007 at 9:35 pm
[...] Be careful surfing for Italy travel information this summer. According to Reuters, the Italian Job has infected thousands of websites related to Italy travel and tourism. We are confident that the virus has not compromised our little blog, but we’ll remain ever vigilant. In the meantime, run your virus protection software and/or read more detailed information (mostly for techies) here. [...]
June 19th, 2007 at 1:17 am
[...] Conform cu Trend Micro, site-urile compromise sunt injectate cu un tag IFRAME, ce redirecteaza catre un server american cu malware, hub-ul acestui atac, care controleaza apoi download-ul de malware. [...]
June 19th, 2007 at 1:37 am
[...] puede obtener más información en la web de Panda Software y en la de TrendMicro. Por el momento, se recomienda a los usuarios no permitir descargas de sitios no conocidos y [...]
June 19th, 2007 at 3:36 am
[...] firm Trend Micro said that it has discovered a new threat that is currently making the rounds on the Internet. The threat [...]
June 19th, 2007 at 4:16 am
[...] un reporte de la empresa de seguridad Trend Micro un IFRAME asesino está atacando a los servidores Italianos. [...]
June 19th, 2007 at 6:51 am
[...] con l’infezione di oltre 1000 siti web, quasi tutti italiani (oggi siamo a 10 volte tanto). Trendmicro e Websense hanno rilasciato qualche informazione [...]
June 19th, 2007 at 7:41 am
[...] ha publicado un screenshot con el iframe y aconseja a los webmasters a controlar sus códigos fuentes, y en caso de que aparezca este iframe [...]
June 19th, 2007 at 1:54 pm
[...] This attack got a name HTML_IFRAME.CU and you can see more about it on TrendMicro Website (here and here). [...]
June 19th, 2007 at 3:15 pm
[...] Maggiori dettagli tecnici QUI [...]
June 19th, 2007 at 4:37 pm
[...] se magari la quantità di attacchi potrebbe dipendere solo dal fatto che l’infezione è stata diretta principalmente a siti [...]
June 20th, 2007 at 12:38 am
[...] Direttamente da sito Trend-Micro [...]
June 20th, 2007 at 8:44 am
[...] 0. http://www.websense.com/securitylabs/alerts/alert.php?AlertID=782 1. http://blog.trendmicro.com/another-malware-pulls-an-italian-job/ 2. [...]
June 21st, 2007 at 11:55 pm
[...] Informationen stehen unter http://www.trendmicro.de bereit sowie im Trend Micro Malware Blog unter http://blog.trendmicro.com/another-malware-pulls-an-italian-job/. Weitere Informationen zum Thema Web Threats finden Sie unter [...]
June 26th, 2007 at 5:03 am
[...] la rapidité avec laquelle un grand nombre de sites ont été corrompus”, précise Trend Micro.La plupart des pages touchées s’adresse à un large public. Les principaux sites corrompus [...]
July 23rd, 2007 at 5:44 am
[...] ha publicado un screenshot con el iframe y aconseja a los webmasters a controlar sus códigos fuentes, y en caso de que aparezca este iframe [...]
July 23rd, 2007 at 2:09 pm
[...] informacion aqui Posted in Programación | Trackback | del.icio.us | Top Of [...]
September 3rd, 2007 at 1:01 am
[...] 1.100 siti italiani sotto attacco dalla Russia. E chi li visita rischia di infettare il proprio pc. Secondo Html.it molti sarebbero gestiti da [...]
November 17th, 2007 at 11:20 pm
[...] Trend Micro’s ongoing effort to track the exploits can be found on its http://blog.trendmicro.com/another-malware-pulls-an-italian-job/. [...]
November 20th, 2007 at 6:52 am
[...] http://blog.trendmicro.com/another-malware-pulls-an-italian-job/ states this morning, the target of choice for Mpack in recent days has been Italy. Many of its higher-profile sites have been targeted in recent days, including media publishers, tourism services, and auto sales sites. [...]
November 24th, 2007 at 4:02 pm
[...] http://blog.trendmicro.com/another-malware-pulls-an-italian-job/ states this morning, the target of choice for Mpack in recent days has been Italy. Many of its higher-profile sites have been targeted in recent days, including media publishers, tourism services, and auto sales sites. [...]
November 26th, 2007 at 7:53 am
[...] Trend Micro’s ongoing effort to track the exploits can be found on its http://blog.trendmicro.com/another-malware-pulls-an-italian-job/. [...]
February 27th, 2008 at 9:02 pm
[...] the “Italian Job” by Trend Micro, the attack was first uncovered June 15. Legitimate sites were hacked to include a malicious iFrames [...]
September 5th, 2008 at 4:25 am
[...] was once again recognized worldwide after a local team discovered the rapidly spreading infection Italian Job “malware” (malicious software) and became one of the first to provide [...]