Here’s a sample screenshot of the IFRAME tag:
Most of the legitimate Web sites that were compromised by the malware authors are related to tourism, automotive industry, movies and music, tax and employment services, some Italian city councils, and hotels sites. Apparently, most of these sites are hosted on one of the largest Web hoster/provider in Italy.
Below is a sample screenshot of a compromised Web site:
TROJ_SMALL.HCK, in turn, downloads TROJ_AGENT.UHL and TROJ_PAKES.NC. TROJ_AGENT.UHL can act as a proxy server that allows a remote user to anonymously connect to the Internet via an infected computer. TROJ_PAKES.NC, on the other hand, is dumped in the user’s temporary folder and downloads the keylogging information thief TSPY_SINOWAL.BJ.
A diagram of the attack scenario is found below:
Another important factor in this Italian attack is the involvement of the malware toolkit Mpack, specifically its version 0.86. On the IP page where the affected browser is initially redirected, an Mpack statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the Mpack host where the download chain begins.
Multiple middlemen, in what looks like an attempt to steal information, is not new especially in this era of Web threats. Other threat incidents, some implicated in botnet investigations, have been known to use a slew of malware to deploy the entire plan of attack. However, what is especially interesting in this “Italian job” is how such a lot of the Web sites have been compromised in such a short period of time, possibly even at one go.
In terms of social engineering, it seems the authors behind this attack have come up with the perfect crime. Without the awareness gathered from security company reports, users will have no qualms accessing the said Web sites especially since most have been known to be relatively safe and legitimate prior to this incident. Among the top hacked sites are related to fashion, some have adult content, and several online communities with varied interests. It is possible that the malware authors are banking on an increase in user traffic due to the coming Italian holiday season, when users are expected to pursue more socially-inclined interests beyond work or school.
Further complications may amplify the impact of this attack, considering that the malicious server that hosts JS_DLOADER.NTJ may be updated at any given time by the malware authors, possibly giving the script new and improved capabilities, or other stealth mechanisms. Also, a newer version of MPack v.86 has been discovered, and may in fact be used in conjunction with the planted codes to perpetrate more nefarious activities.
As stated above, Trend Micro already detects all malicious codes and files, and blocks malicious URLs involved in this scheme.
Update : As of 8:22 PM (GMT +0800) June 19, 2007 we have received reports of about 3000++ compromised sites.