Slashdot Log In
Malware Pulls an "Italian Job"
Posted by
kdawson
on Mon Jun 18, 2007 10:02 PM
from the blame-italy dept.
from the blame-italy dept.
A number of readers sent us word about a malware attack that has been underway since Saturday that began with the compromise of more than 1,100 mostly Italian Web sites. Websense claims that more than 10,000 sites have been infected by now, 80% of them in Italy. There are indications that most of the Italian sites are resident at the same large Italian hosting provider. Trend Micro reports on the attack, which is launched from a malicious Iframe tag inserted into pages on compromised sites. For visitors to these sites, this begins a cascade of "drive-by" malware downloads if one of several targeted vulnerabilities is available and unpatched. The first page to which visitors are redirected by the Iframe hosts a recent version of Mpack attack software. Panda has a month-old report on Mpack (PDF) that provides copious detail about its nefarious ways.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
I wish they'd count "servers" and not "sites" (Score:5, Interesting)
But this method of artificial number inflating is to be expected from an industry trying to promote their anti-malware, anti-virus, anti-spyware, anti-trojan, anti-anti-virus, anti-rootkit products. Anyone actually requiring these craplets to be installed on their dedicated servers have a much larger problem between the keyboard and the monitor to worry about.
Re:I wish they'd count "servers" and not "sites" (Score:5, Insightful)
(http://echoreply.us/)
There are many web hosting companies and some of them negate their responsibility to Internet users at large.
The web hosting industry does not get much attention from free software developers. This is broadly because they want to insist that anything they spend money on develping not be usable by their competition. As such, no company (under the terms of the GPL) may make any developer sign any kind of non disclosure agreement for the purposes of receiving GPL code.
The web hosting industry is stuck in a rut of its own design. It uses software that it can't modify to meet its real security needs because nothing exists free that has all of the working features that their customers demand.
This is the problem, this will continue to be the problem for quite some time. Even if a free control panel and billing system were realsed that they find suitable it would only be after perhaps a couple years of development and testing.
Sad, but true. The industry is making us all a victim of its success. It sells the use of GNU/Linux computers pocketing all profits and only giving back to companies that produce software that is not free.. totally against the tit-for-tat that made it such a lucrative market to begin with.
You're right, but you left out some stuff.
Re:I wish they'd count "servers" and not "sites" (Score:5, Informative)
Trivial passwords (single English word of five characters) were guessed as well as slightly more complicated ones (non-English words, eight characters, random numbers inserted).
It appeared to me that were the host NOT the problem, that bots might have been guessing the passwords through brute force? I searched the net seeing if I could find more information about these attacks, but there wasn't much out there, especially given that there wasn't much to search on besides the fact that they used an IFRAME or JavaScript DeCode function, and a probably random set of IP addresses.
Anyone know more about it all?
Queso scan (Score:1, Funny)
(Last Journal: Wednesday October 24, @03:50AM)
Mafia spam? (Score:5, Funny)
(http://www.geocities.com/tablizer | Last Journal: Saturday March 15 2003, @01:22PM)
This is the... (Score:1)
(Last Journal: Sunday July 18 2004, @01:51AM)
"You're only supposed to blow the bloody doors off!"
It's all Microsoft vulnerabiltiies (Score:5, Informative)
(http://www.animats.com)
Note that Trend Micro never uses the word "Microsoft". That's deceptive. How does Microsoft manage that? This attack depends entirely on vulnerabilities in Internet Explorer and Microsoft Media Player. It does try to attack Firefox and Opera browsers by sending them Windows Media files, but doesn't have a direct attack on either browser.
So:
Re:It's all Microsoft vulnerabiltiies (Score:5, Insightful)
Even simplier:
What web servers are vulnerable? (Score:1)
Tiscali? (Score:3, Informative)
(http://flokemon.blogspot.com/)
"Apparently, most of these sites are hosted on one of the largest Web hoster/provider in Italy."
Why would I not be surprised if Tiscali's webservers were somehow to blame?...
Is this the... (Score:1)
(Last Journal: Wednesday January 03 2007, @05:01PM)
After the title... (Score:3, Funny)
A malware question to the comunity (Score:2)
I've been hit with win32.Perlovga.A on a secondary computer through an infected USB key. That machine had no anti-virus and autorun was at that time enabled (stupid). This particular crapware saves two EXE files (copy.exe and host.exe) and an autorun.inf that executes copy.exe to the root of each volume. When the infected USB key was plugged-in, it loaded the mallware.
I removed all instances of the mallware itself, all is clean and nice, except for:
There seems to be some rootkit left behind because if I extract those two EXE files from where I saved them, they don't show-up in the filesystem unless I boot in safe mode, although nothing gets loaded in memory at this point.
Rootkit Revealer does not show anything suspicious, and AutoRuns shows way too much information and nothing that strikes me as odd.
Anyone has more experience with this one? I will really like to understand what it had done
Cheers!
k
Italian Job? I'm confused (Score:2)
Re:Why do they never come right out and say... (Score:4, Funny)
Re: Viruses/Viri/Virii (Score:5, Informative)
Yes, viri/virii is incorrect (for now), but when the vast majority of us don't RTFA (or can't, due to the
Re: Viruses/Viri/Virii (Score:4, Informative)
But I agree with you, virii is both bad English and bad Latin.
Re:Super Mario Malware! (Score:1)
Re:Because it's all... (Score:1, Troll)
(http://255.255.255.255/)
Re:Why do they never come right out and say... (Score:4, Insightful)
(http://www.daychilde.com/)
The day your favorite OS dominates the market, it'll be pwned, don't you worry. And I say this as 1) a Firefox fan, hoping that it never gets to be the majority browser for precisely that reason, and 2) a fan of all the OS's. I use Windows for my desktops, Linux for my servers, and Mac sometimes to play. They all have fans, and I don't feel the need to belittle any of them to make one of the others look better. It doesn't work that way.
Hope I don't get modded down - I'm not so much flaming as ANTI-trolling if you catch what I"m trying to say. heh.
Re:Why do they never come right out and say... (Score:5, Insightful)
If market share is any indication to being pwned; then why isn't Apache attacked more that IIS? According to Netcraft Apache has 53.76% of the market compared to MS: 31.83%
And I say this as 1) a Firefox fan, hoping that it never gets to be the majority browser for precisely that reason, and
I personally only want FF have enough of the market; just enough to make companies follow the web standards: IE not catering to only one browser. Actually, the same applies to ODF; just enough to make companies not require a specific Office Suite.
"2) a fan of all the OS's. I use Windows for my desktops, Linux for my servers, and Mac sometimes to play."
Use what ever works for you.
Defacements.... (Score:4, Informative)
(http://www.sympato.ch/)
What the parent poster talked about was the very low amount of Apache-targeting viruses and exploits compared to those targeting IIS. Apache is the most widespread server software, but IIS is the one that gets most viruses.
And most of the time this kind of vector is used as described in current article : as a way to get control on machine to distribute malware and/or be used in a botnet.
Whereas, what you speak about - defacement - is done in most of the case, by stupid script kiddies who just use some random tool to exploits bugs (either remote execution or SQL injections) found in common PHP script (forum engines, etc.), it is mostly server independent. Apache or IIS doesn't matter as long as poor script code is present with known vulnerability. Therefore, you're very likely to find that the defacement frequence follows closely the market share of the servers.
Most of the time, the script kiddie just put "I am teh 1337 r0xx0rs !" in the front page. You can't do much with a compromised script (you can't start a IRC server, put a zombie bot, a full mail server for spitting spam or use it as a starting point to infect other servers in the vicinity).
Re:Why do they never come right out and say... (Score:5, Informative)
The summary and linked articles don't even say that. Only Panda's MPack report, a dozen pages in, starts to list the actual vulnerabilities targetted. Which are IE, WMP and one Opera bug. However, the malware is actually modular in which new vulnerabilities can be plugged in, so this isn't static, and they say new versions come out about once a month.
Nevertheless, unless the WMP vulnerability works on multiple browsers, it's just Windows IE (duh) and Opera. No mention of Linux, Mac or Firefox I saw.
Re:Why do they never come right out and say... (Score:4, Informative)
" 1) A Trojanised WMF File (Downloader)
2) ActiveX/OCX File (dropper)
The downloaded malware, when executed, installs
1) A rootkit "
Most of the world is in denial about the whole security issue surrounding
Windows. Even some of the postage on
*want* to know, that's why they don't post it.
[*] - http://blog.trendmicro.com/italian-job-vs-italian
Re:Why do they never come right out and say... (Score:4, Insightful)
Everytime some vulnerability is found, someone shouts about not using Windows, especially these Apple lovers. Come on guys, can we stop this? These so called malwares target novice users, not Slashdot users. Tell me a single alternative your mom can use and I will take it. The so called alternatives are either too_expensive (suggest your mom to shell out 2K on Mac just_to_get_on_internet) or too_not_userfriendly. Why not stop beating the drum on Windows?
Re:Why do they never come right out and say... (Score:2, Insightful)
(http://www.encyclope...i_herd_u_liek_mudkip)
And if nobody gave a shit about Macs, why does Apple have a bigger market share than Toshiba and currently has the same size market share as Gateway? Oh, and Apple's market share is growing every day much faster than either of those two companies.
But maybe you're just a troll.
Re:Why do they never come right out and say... (Score:2)
Can we help it if our apps are just better written than the ones you choose to use?
You misspelled truth (Score:1)
YES (Score:2)
(http://youtube.com/watch?v=FCDJ0jhWKno | Last Journal: Tuesday November 14 2006, @01:31PM)
Re:Because it's all... (Score:2)
(http://www.gis.net/~cht)
For an OS supposedly open and free and for "The People", the aforementioned "STFU n00b" is endemic.