Tweet

Remember LINKOPTIM, which exploited a number of legitimate Italian Web sites to spread malicious JavaScripts? Since early Saturday morning (June 16, 2007), Trend Micro has been receiving several reports of a new batch of hacked Italian Web sites that trigger a series of malware downloads once a user visits them. These infection series begin with a malicious IFRAME tag. Trend Micro detects Web pages hosting the said malicious tag as HTML_IFRAME.CU. All the compromised sites are hosted in Italy and, to date, Trend Micro has identified more than 3,000 affected Web sites.

Here’s a sample screenshot of the IFRAME tag:

Most of the legitimate Web sites that were compromised by the malware authors are related to tourism, automotive industry, movies and music, tax and employment services, some Italian city councils, and hotels sites. Apparently, most of these sites are hosted on one of the largest Web hoster/provider in Italy.

Below is a sample screenshot of a compromised Web site:

Once the user visits any of the said Web sites, the affected computer is directed to another IP address that contains the malicious JavaScript detected by Trend Micro as JS_DLOADER.NTJ. This JavaScript then downloads a new member in the infection series detected as TROJ_SMALL.HCK. Trying to cause a buffer overflow on the user’s Internet browser, JS_DLOADER.NTJ exploits browser vulnerabilities. Through this, it is able to download TROJ_SMALL.HCK. On initial testing, TrendLabs researchers observed that this malicious JavaScript appears to be “browser-aware” in that it can choose which vulnerability to take advantage of depending on the browser.

TROJ_SMALL.HCK, in turn, downloads TROJ_AGENT.UHL and TROJ_PAKES.NC. TROJ_AGENT.UHL can act as a proxy server that allows a remote user to anonymously connect to the Internet via an infected computer. TROJ_PAKES.NC, on the other hand, is dumped in the user’s temporary folder and downloads the keylogging information thief TSPY_SINOWAL.BJ.

A diagram of the attack scenario is found below:

Another important factor in this Italian attack is the involvement of the malware toolkit Mpack, specifically its version 0.86. On the IP page where the affected browser is initially redirected, an Mpack statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the Mpack host where the download chain begins.

Multiple middlemen, in what looks like an attempt to steal information, is not new especially in this era of Web threats. Other threat incidents, some implicated in botnet investigations, have been known to use a slew of malware to deploy the entire plan of attack. However, what is especially interesting in this “Italian job” is how such a lot of the Web sites have been compromised in such a short period of time, possibly even at one go.

In terms of social engineering, it seems the authors behind this attack have come up with the perfect crime. Without the awareness gathered from security company reports, users will have no qualms accessing the said Web sites especially since most have been known to be relatively safe and legitimate prior to this incident. Among the top hacked sites are related to fashion, some have adult content, and several online communities with varied interests. It is possible that the malware authors are banking on an increase in user traffic due to the coming Italian holiday season, when users are expected to pursue more socially-inclined interests beyond work or school.

Further complications may amplify the impact of this attack, considering that the malicious server that hosts JS_DLOADER.NTJ may be updated at any given time by the malware authors, possibly giving the script new and improved capabilities, or other stealth mechanisms. Also, a newer version of MPack v.86 has been discovered, and may in fact be used in conjunction with the planted codes to perpetrate more nefarious activities.

As stated above, Trend Micro already detects all malicious codes and files, and blocks malicious URLs involved in this scheme.

Update : As of 8:22 PM (GMT +0800) June 19, 2007 we have received reports of about 3000++ compromised sites.