Malware Pulls an "Italian Job"

A number of readers sent us word about a malware attack that has been underway since Saturday that began with the compromise of more than 1,100 mostly Italian Web sites. Websense claims that more than 10,000 sites have been infected by now, 80% of them in Italy. There are indications that most of the Italian sites are resident at the same large Italian hosting provider. Trend Micro reports on the attack, which is launched from a malicious Iframe tag inserted into pages on compromised sites. For visitors to these sites, this begins a cascade of "drive-by" malware downloads if one of several targeted vulnerabilities is available and unpatched. The first page to which visitors are redirected by the Iframe hosts a recent version of Mpack attack software. Panda has a month-old report on Mpack (PDF) that provides copious detail about its nefarious ways.

I wish they'd count "servers" and not "sites"

[by Anonymous Coward]

This malware probably just affected a single DreamHost shared server, thus bringing down 10,000+ sites at once.

But this method of artificial number inflating is to be expected from an industry trying to promote their anti-malware, anti-virus, anti-spyware, anti-trojan, anti-anti-virus, anti-rootkit products. Anyone actually requiring these craplets to be installed on their dedicated servers have a much larger problem between the keyboard and the monitor to worry about.

Re:

[siddesu (698447)]

you're right to an extent, but still, if you are a site owner, and if your site is making money for you (or if you are a site user, and are delivering benefits from the said site) little would you care if you're co-hosted or not. the days when putting up a site meant l33t skillz and buying a server seem long gone. the fact that sites are hosted on one server (and it may be a big server) doesn't make the problem smaller to the owners and the users.

and, incidentally, imho software companies should be liable f

Re:

[by Anonymous Coward]

and, incidentally, imho software companies should be liable for trouble created by their software as the hosting companies are.

Never will happen.

The software vendors cannot control what 3rd party software run with their software -- not even a pure 'monoculture' PC from the OS up.

Hence the usual longwinded boilerplate EULAs that REALLY only say 3 things:

1) Do redistribute our software.
2) Do not reverse engineer our software.
3) This software is "AS IS". Use it at your own risk. We are not responsible for an

Re:I wish they'd count "servers" and not "sites"

[tinkertim (918832)]

and, incidentally, imho software companies should be liable for trouble created by their software as the hosting companies are.

There are many web hosting companies and some of them negate their responsibility to Internet users at large.

The web hosting industry does not get much attention from free software developers. This is broadly because they want to insist that anything they spend money on develping not be usable by their competition. As such, no company (under the terms of the GPL) may make any developer sign any kind of non disclosure agreement for the purposes of receiving GPL code.

The web hosting industry is stuck in a rut of its own design. It uses software that it can't modify to meet its real security needs because nothing exists free that has all of the working features that their customers demand.

This is the problem, this will continue to be the problem for quite some time. Even if a free control panel and billing system were realsed that they find suitable it would only be after perhaps a couple years of development and testing.

Sad, but true. The industry is making us all a victim of its success. It sells the use of GNU/Linux computers pocketing all profits and only giving back to companies that produce software that is not free.. totally against the tit-for-tat that made it such a lucrative market to begin with.

You're right, but you left out some stuff. :) I'm part of that industry, but only one of very few people who speak out against the practice and remain able to eat and pay bills.

Re:

[Devil's BSD (562630)]

to my knowledge, dreamhost isn't italian.

Re:I wish they'd count "servers" and not "sites"

[antic (29198)]

A big, usually decent hosting company in the US that I use was getting done over by this - I had 10-20 sites infiltrated over a period of a few weeks, in 2-3 waves using two slightly different techniques. The host denied any responsibility or knowledge, saying that poor FTP passwords were the entry point. My computer was not the issue as those sites hacked were all on this host - no sites on any of the other 5 or more hosts I use were impacted, regardless of the strength of their passwords.

Trivial passwords (single English word of five characters) were guessed as well as slightly more complicated ones (non-English words, eight characters, random numbers inserted).

It appeared to me that were the host NOT the problem, that bots might have been guessing the passwords through brute force? I searched the net seeing if I could find more information about these attacks, but there wasn't much out there, especially given that there wasn't much to search on besides the fact that they used an IFRAME or JavaScript DeCode function, and a probably random set of IP addresses.

Anyone know more about it all?

Re:

[ricotest (807136)]

If it was brute force, the host is still at fault - virtually every provider out there has a login attempt limit for FTP connections, and you'd think thousands upon thousands of failed logins would show up on their logs.

Re:

[antic (29198)]

When I suggested that that should be happening, they didn't really have any response - surely if they did, they would've mentioned it?

So, if that were the case and it took a certain level of effort to get past low-medium level passwords, then realistically it's just a matter of time before tougher (12-15 randomised characters) passwords get done?

Re:

[antic (29198)]

Like I said, just a matter of time. ;)

Previously, I had a password in the form of AAANANAA (A=alpha, N=numeric) guessed. It wasn't a dictionary word or combination of dictionary words, and the numbers were not their typical I=1, A=4 replacements. I had assumed it would be non-trivial to guess and that there would be a system in place to limit on-going login attempts, even if coming from a range of IP addresses (e.g., botnet or whatever).

Of course, even if you suspect the host, there's only so far throwing a

Re:

[Stinky Cheese Man (548499)]

Anyone know more about it all?

It would help if you actually identified the hosting company. One "big, usually decent hosting company" that I am familiar with, that hosts about 3,000 sites per server, had at one time a password-hash file that was readable by anyone with an account on the server. All you had to do was download the file and run a password cracker on it and you could recover a large number of user passwords. I warned them about this 10 years ago. They thanked me and did nothing. It may

Re:

[antic (29198)]

Some sites used scripting, MySQL, etc, most were completely dead-boring static HTML.

If it wasn't a brute force guess of the passwords, then I think you might be right about the shared server being infiltrated. If that is the case, then it's such a shame that one can get stuck in the dark because the host is too embarrassed to reveal the truth - e.g., waste days trying to research possible threats and causes.

Re:

[justinlee37 (993373)]

between the keyboard and the monitor to worry about.

Did you mean between the keyboard and the chair? Because all I see between my keyboard and my monitor is a desk with a dirty shot glass, a lighter, a knife, a case screw, two dimes, two empty cups of hot sauce, an open bottle of safeway-brand "personal lubricating liquid", and a bag of grass ...

So you may be able to understand how I'm totally lost here.

Mafia spam?

[Tablizer (95088)]

As a sign of this, I just got a spam that insisted I purchase a lower mortgage, along with a photo of a horse head.
     

Re:

[Afecks (899057)]

As a sign of this, I just got a spam that insisted I purchase a lower mortgage, along with a photo of a horse head.

Was it one of these? [kropserkel.com]

It's all Microsoft vulnerabiltiies

[Animats (122034)]

Note that Trend Micro never uses the word "Microsoft". That's deceptive. How does Microsoft manage that? This attack depends entirely on vulnerabilities in Internet Explorer and Microsoft Media Player. It does try to attack Firefox and Opera browsers by sending them Windows Media files, but doesn't have a direct attack on either browser.

So:

1. Use Firefox.
2. Go to Tools->Options->Content->Manage File Types. Go down the list, and remove or change all entries that automatically invoke Microsoft applications. (Use OpenOffice for .doc, .xls, and .ppt, maybe QuickTime for video files.)

Re:

[corsec67 (627446)]

Note that Trend Micro never uses the word "Microsoft".

That is because to most people "computer" means something running Microsoft Windows. Saying that computers running Windows were involved would be like saying "the accident involved cars with internal combustion engines." That, and reporters don't really care about educating their readers, they just care about making the publication money.

And that is my bad attempt at an automotive analogy.

Re:It's all Microsoft vulnerabiltiies

[weicco (645927)]

Even simplier:

1. Run Windows Update

Re:

[TheRaven64 (641858)]

I booted my Thinkpad into Windows the other day, and it did this automatically, and then told me I needed to reboot to complete the installation.

I'm still trying to figure out how it managed it without being connected to a network...

Tiscali?

[flokemon (578389)]

From the article:
"Apparently, most of these sites are hosted on one of the largest Web hoster/provider in Italy."

Why would I not be surprised if Tiscali's webservers were somehow to blame?...

Re:

[digitaldruid (756476)]

Yes, it appears to be aruba (very popular in Italy and a little less in Spain) and according to this thread http://community.aruba.it/forums/ultimatebb.php?ub b=get_topic;f=58;t=000218 [aruba.it] the affected sites are on IIS (you can choose between windows/IIS or linux/apache hosting).

After the title...

[Comboman (895500)]

...I was hoping for a story about a malware attack that involved the use of Michael Caine and numerous Minis.

A malware question to the comunity

[Koyaanisqatsi (581196)]

Not completely on-topic but hey, it does not warrant a full "ask slashdot" and I've been struggling with this for a couple of days now ...

I've been hit with win32.Perlovga.A on a secondary computer through an infected USB key. That machine had no anti-virus and autorun was at that time enabled (stupid). This particular crapware saves two EXE files (copy.exe and host.exe) and an autorun.inf that executes copy.exe to the root of each volume. When the infected USB key was plugged-in, it loaded the mallware.

I

Re:Why do they never come right out and say...

[Daychilde (744181)]

Insightful my ass...

The day your favorite OS dominates the market, it'll be pwned, don't you worry. And I say this as 1) a Firefox fan, hoping that it never gets to be the majority browser for precisely that reason, and 2) a fan of all the OS's. I use Windows for my desktops, Linux for my servers, and Mac sometimes to play. They all have fans, and I don't feel the need to belittle any of them to make one of the others look better. It doesn't work that way.

Hope I don't get modded down - I'm not so much flaming as ANTI-trolling if you catch what I"m trying to say. heh. :P

Re:Why do they never come right out and say...

[by Anonymous Coward]

"The day your favorite OS dominates the market, it'll be pwned, don't you worry."

If market share is any indication to being pwned; then why isn't Apache attacked more that IIS? According to Netcraft Apache has 53.76% of the market compared to MS: 31.83%

And I say this as 1) a Firefox fan, hoping that it never gets to be the majority browser for precisely that reason, and

I personally only want FF have enough of the market; just enough to make companies follow the web standards: IE not catering to only one browser. Actually, the same applies to ODF; just enough to make companies not require a specific Office Suite.

"2) a fan of all the OS's. I use Windows for my desktops, Linux for my servers, and Mac sometimes to play."
Use what ever works for you.

Re:

[cyphercell (843398)]

funny how you remove one player and suddenly security comes from competition rather than third party patch professionals.

Defacements....

[DrYak (748999)]

Look into any defacement reporting site (such as zone-h.org) and look at the numbers. They vary every day, but ion average about 60% of the defacements are for linux boxes. So there you have.

What the parent poster talked about was the very low amount of Apache-targeting viruses and exploits compared to those targeting IIS. Apache is the most widespread server software, but IIS is the one that gets most viruses.

And most of the time this kind of vector is used as described in current article : as a way to get control on machine to distribute malware and/or be used in a botnet.

Whereas, what you speak about - defacement - is done in most of the case, by stupid script kiddies who just use some random tool to exploits bugs (either remote execution or SQL injections) found in common PHP script (forum engines, etc.), it is mostly server independent. Apache or IIS doesn't matter as long as poor script code is present with known vulnerability. Therefore, you're very likely to find that the defacement frequence follows closely the market share of the servers.

Most of the time, the script kiddie just put "I am teh 1337 r0xx0rs !" in the front page. You can't do much with a compromised script (you can't start a IRC server, put a zombie bot, a full mail server for spitting spam or use it as a starting point to infect other servers in the vicinity).

yes, but... what's the server running?

[advocate_one (662832)]

as far as I can tell from the pdf in TFA, the server side exploit package is relying on PHP and MySQL... so to me it generally indicates a Linux based server... although that isn't an actual given.

Re:

[advocate_one (662832)]

and in replying to myself, the exploit hosting server is most likely running Linux to provide the PHP and MySQL... the servers that are hosting the infected frames could be anything...

Re:

[Kadin2048 (468275)]

It requires one (presumably Linux-based) server to run the PHP and MySQL "backend" ... that's where the rootkits/malware are actually hosted.

Then, you go out and hack a whole bunch of other sites -- in this case, all apparently IIS-based, for reasons I won't speculate on -- and add the bad IFRAME, which points to the backend server.

Joe User visits the compromised site, which has the bad IFRAME. It points his browser to the backend, which has the rootkit-delivery software, which uses one of many known browse

Re:

[und0 (928711)]

Defacements are usually done exploiting poor coded PHP applications, not exploiting Apache bugs, FWIK...

Re:Why do they never come right out and say...

[1u3hr (530656)]

Regardless of scoring points in the OS/browser pissing competitions, I'd just like to know what OS and browser are vulnerable, so I know whether I personally have to worry about this.

The summary and linked articles don't even say that. Only Panda's MPack report, a dozen pages in, starts to list the actual vulnerabilities targetted. Which are IE, WMP and one Opera bug. However, the malware is actually modular in which new vulnerabilities can be plugged in, so this isn't static, and they say new versions come out about once a month.

Nevertheless, unless the WMP vulnerability works on multiple browsers, it's just Windows IE (duh) and Opera. No mention of Linux, Mac or Firefox I saw.

Re:Why do they never come right out and say...

[bl8n8r (649187)]

Looks like Windows*. No really. Yes again.

" 1) A Trojanised WMF File (Downloader)
    2) ActiveX/OCX File (dropper)
    The downloaded malware, when executed, installs
    1) A rootkit "

Most of the world is in denial about the whole security issue surrounding
Windows. Even some of the postage on /. is quite alarming. People don't
*want* to know, that's why they don't post it.

[*] - http://blog.trendmicro.com/italian-job-vs-italian- bizness/ [trendmicro.com]

Re:

[rbanffy (584143)]

+1 sarcastic for you.

Re:Why do they never come right out and say...

[by Anonymous Coward]

Disclaimer: I am neither a Windows fan nor an Mac hater. I use Windows *nix almost equally.

Everytime some vulnerability is found, someone shouts about not using Windows, especially these Apple lovers. Come on guys, can we stop this? These so called malwares target novice users, not Slashdot users. Tell me a single alternative your mom can use and I will take it. The so called alternatives are either too_expensive (suggest your mom to shell out 2K on Mac just_to_get_on_internet) or too_not_userfriendly. Why not stop beating the drum on Windows?

Re:

[the_womble (580291)]

Tell me a single alternative your mom can use
My father uses Mandriva. So does my wife. My four year old daughter currently uses Kubuntu.

None of them could install Linux for themselves, but they have no problems using it.

shell out 2K on Mac just_to_get_on_internet

1) A bottom of the range Mac costs nothing like that
2) Install Linux, say "this icon starts the web browser, this icon starts the email program". What is so difficult about that?

Re:

[walt-sjc (145127)]

Indeed. iMac's start at $999, mac Mini $599. iMacs are ready to go, mac mini needs a mouse, keyboard, display, which you can probably use your old PC ones. IMHO the iMac is a better deal (built in iSight too.) Claiming it costs $2K though is disingenuous - especially since that is twice what it really costs. While you can buy a cheaper dell, when you start comparing specs the Macs are quite competitive.

Re:

[laffer1 (701823)]

headless? WTF? All desktop and laptop macs have graphics cards. http://en.wikipedia.org/wiki/Headless [wikipedia.org]

Re:

[compro01 (777531)]

i agree that modern Linux distros (Ubuntu in particular) are very easy to use for day-to-day use, but it can get ugly in a big hurry when things go wrong.

granted, same thing happens with Windows, but it seems to happen more severely with Linux in my experience. i seemingly need to make use of the command line much more often in Linux problem solving than i do in windows, and while that is no problem for me, it's extremely intimidating to most users.

Re:Why do they never come right out and say...

[MadUndergrad (950779)]

Speaking of looking like a douche, it's "viruses". I'll say it again, "viruses". Not virii.

Re: Viruses/Viri/Virii

[beav007 (746004)]

From http://en.wikipedia.org/wiki/Virii [wikipedia.org]:

In the English language, the standard plural of virus is viruses. This is the most frequently occurring form of the plural, and refers to both a biological virus and a computer virus.

The less frequent variations viri and virii are virtually unknown in edited prose, and no major dictionary recognizes them as alternative forms. Their occurrence can be variously attributed to hypercorrection formed by analogy to Latin plurals such as alumni or false analogy to Latin plurals such as radii; idiosyncratic use as jargon among a group, such as computer hackers; and deliberate word play, such as on BBSs (see, e.g.: leet).

Yes, viri/virii is incorrect (for now), but when the vast majority of us don't RTFA (or can't, due to the /. effect), you can hardly expect people to figure it out all on their own ;)

Re:

[mrbluze (1034940)]

Yes, viri/virii is incorrect (for now), but when the vast majority of us don't RTFA (or can't, due to the /. effect), you can hardly expect people to figure it out all on their own ;)

If we speak of groups of virus types (that is, a species), there are different forms used depending on whether we're speaking of a family, genus, etc. (if you read the full wikipaedia article, and if you studied it in uni):

• Order: virales
• Family: viridae
• Subfamily: virinae
• Genus & Species: virus

Now the individual virus is a virion, which probably has its own possible plurals, to make matters worse.

But viruses is the correct plural for English speakers, by convention, but I remember the virulogist

Viri/Virii are wrong in any case

[nephridium (928664)]

Virus derives from the Latin word for "venom" and has the neutral gender. The Latin plural -i only applies to masculine nouns of the o-declination. The proper plural for virus, if you'd want to use the Latin form, would be vira (though afaik there is no documented usage of the pural form), all neutral gender nouns have an -a (nominative) plural.

Re:

[fbjon (692006)]

No, but dictionaries on the other hand do have some authority. Also, I think someone in the industry is as likely to use 'virii' as they are to use 'M$' or 'filez', or some other lame thing like that.

Not to mention, the "language is evolving" argument doesn't mean that just any invented word is ok to use. Language evolves over time by itself, not because we're telling it to evolve.

Re:

[digitig (1056110)]

Language evolves over time by itself, not because we're telling it to evolve.

Wow, clever language! How does it manage that, without the help of people to provide the mutation and selection? (BTW: is Esperanto the language of religious fundamentalists? It's Intelligently Designed!)

Re:

[Belacgod (1103921)]

Actually, the Latin word for "man" is Vir, not Virus.

Re: Viruses/Viri/Virii

[by Anonymous Coward]

Vir means man. Its plural is viri. Virus is a different word, a rare 2nd declension neuter, meaning (among other nasty things) 'poison'. It has no plural.

But I agree with you, virii is both bad English and bad Latin.

Re:

[AlecC (512609)]

Actually, it is a Latin word, meaning "slime". But since it is a collective noun, it probably does not have a plural, just as we rarely refer to "slimes". It is probably thiord declension, in which case the plural is virus, rather than first, which would give virii.

Re:

[svunt (916464)]

You silly man. Octopus is GREEK octo=eight pus=foot, so octopuses is fine, or octopodes would sort of work too (podes=feet), but only sorta.

Re:

[WhatAmIDoingHere (742870)]

How does using a different brand of computer make you a "douche"? I think it's the average mac user themselves who think that because they own a Mac they're superior. Actually, I think they thought that before they even got the Mac. I'm a recent switcher, 6 months now, and I don't think I'm any more of a douche than I was before. I'm not a hippy and I'm not artistic, I just like it because it's something I've never used before and it does just about everything I need to do and it's more stable/easier to

Re:

[solitas (916005)]

It ain't the platform - it's the application: if you want to use an app that "lifts its skirts" for every intrusion probe that comes along then that's YOUR business.

Can we help it if our apps are just better written than the ones you choose to use? :)