Forgot your password?
typodupeerror
Security

Malware Pulls an "Italian Job" 133

Posted by kdawson
from the blame-italy dept.
A number of readers sent us word about a malware attack that has been underway since Saturday that began with the compromise of more than 1,100 mostly Italian Web sites. Websense claims that more than 10,000 sites have been infected by now, 80% of them in Italy. There are indications that most of the Italian sites are resident at the same large Italian hosting provider. Trend Micro reports on the attack, which is launched from a malicious Iframe tag inserted into pages on compromised sites. For visitors to these sites, this begins a cascade of "drive-by" malware downloads if one of several targeted vulnerabilities is available and unpatched. The first page to which visitors are redirected by the Iframe hosts a recent version of Mpack attack software. Panda has a month-old report on Mpack (PDF) that provides copious detail about its nefarious ways.
This discussion has been archived. No new comments can be posted.

Malware Pulls an "Italian Job"

Comments Filter:
  • by Anonymous Coward on Monday June 18, 2007 @11:12PM (#19560373)
    This malware probably just affected a single DreamHost shared server, thus bringing down 10,000+ sites at once.

    But this method of artificial number inflating is to be expected from an industry trying to promote their anti-malware, anti-virus, anti-spyware, anti-trojan, anti-anti-virus, anti-rootkit products. Anyone actually requiring these craplets to be installed on their dedicated servers have a much larger problem between the keyboard and the monitor to worry about.
    • Re: (Score:3, Insightful)

      by siddesu (698447)
      you're right to an extent, but still, if you are a site owner, and if your site is making money for you (or if you are a site user, and are delivering benefits from the said site) little would you care if you're co-hosted or not. the days when putting up a site meant l33t skillz and buying a server seem long gone. the fact that sites are hosted on one server (and it may be a big server) doesn't make the problem smaller to the owners and the users.

      and, incidentally, imho software companies should be liable f
      • Re: (Score:2, Insightful)

        by Anonymous Coward
        and, incidentally, imho software companies should be liable for trouble created by their software as the hosting companies are.

        Never will happen.

        The software vendors cannot control what 3rd party software run with their software -- not even a pure 'monoculture' PC from the OS up.

        Hence the usual longwinded boilerplate EULAs that REALLY only say 3 things:

        1) Do redistribute our software.
        2) Do not reverse engineer our software.
        3) This software is "AS IS". Use it at your own risk. We are not responsible for an
      • by tinkertim (918832) * on Tuesday June 19, 2007 @02:42AM (#19561875) Homepage

        and, incidentally, imho software companies should be liable for trouble created by their software as the hosting companies are.

        There are many web hosting companies and some of them negate their responsibility to Internet users at large.

        The web hosting industry does not get much attention from free software developers. This is broadly because they want to insist that anything they spend money on develping not be usable by their competition. As such, no company (under the terms of the GPL) may make any developer sign any kind of non disclosure agreement for the purposes of receiving GPL code.

        The web hosting industry is stuck in a rut of its own design. It uses software that it can't modify to meet its real security needs because nothing exists free that has all of the working features that their customers demand.

        This is the problem, this will continue to be the problem for quite some time. Even if a free control panel and billing system were realsed that they find suitable it would only be after perhaps a couple years of development and testing.

        Sad, but true. The industry is making us all a victim of its success. It sells the use of GNU/Linux computers pocketing all profits and only giving back to companies that produce software that is not free.. totally against the tit-for-tat that made it such a lucrative market to begin with.

        You're right, but you left out some stuff. :) I'm part of that industry, but only one of very few people who speak out against the practice and remain able to eat and pay bills.
    • to my knowledge, dreamhost isn't italian.
    • by antic (29198) on Tuesday June 19, 2007 @12:56AM (#19561111)
      A big, usually decent hosting company in the US that I use was getting done over by this - I had 10-20 sites infiltrated over a period of a few weeks, in 2-3 waves using two slightly different techniques. The host denied any responsibility or knowledge, saying that poor FTP passwords were the entry point. My computer was not the issue as those sites hacked were all on this host - no sites on any of the other 5 or more hosts I use were impacted, regardless of the strength of their passwords.

      Trivial passwords (single English word of five characters) were guessed as well as slightly more complicated ones (non-English words, eight characters, random numbers inserted).

      It appeared to me that were the host NOT the problem, that bots might have been guessing the passwords through brute force? I searched the net seeing if I could find more information about these attacks, but there wasn't much out there, especially given that there wasn't much to search on besides the fact that they used an IFRAME or JavaScript DeCode function, and a probably random set of IP addresses.

      Anyone know more about it all?
      • by ricotest (807136)
        If it was brute force, the host is still at fault - virtually every provider out there has a login attempt limit for FTP connections, and you'd think thousands upon thousands of failed logins would show up on their logs.
        • by antic (29198)
          When I suggested that that should be happening, they didn't really have any response - surely if they did, they would've mentioned it?

          So, if that were the case and it took a certain level of effort to get past low-medium level passwords, then realistically it's just a matter of time before tougher (12-15 randomised characters) passwords get done?
      • Anyone know more about it all?

        It would help if you actually identified the hosting company. One "big, usually decent hosting company" that I am familiar with, that hosts about 3,000 sites per server, had at one time a password-hash file that was readable by anyone with an account on the server. All you had to do was download the file and run a password cracker on it and you could recover a large number of user passwords. I warned them about this 10 years ago. They thanked me and did nothing. It may

    • Re: (Score:3, Interesting)

      by justinlee37 (993373)

      between the keyboard and the monitor to worry about.

      Did you mean between the keyboard and the chair? Because all I see between my keyboard and my monitor is a desk with a dirty shot glass, a lighter, a knife, a case screw, two dimes, two empty cups of hot sauce, an open bottle of safeway-brand "personal lubricating liquid", and a bag of grass ...

      So you may be able to understand how I'm totally lost here.

      • The keyboard and the monitor are the interface ports for a self-repairing, hydrocarbon powered, 100W device that closes the feedback loop.
      • by tehcyder (746570)

        Because all I see between my keyboard and my monitor is a desk with a dirty shot glass, a lighter, a knife, a case screw, two dimes, two empty cups of hot sauce, an open bottle of safeway-brand "personal lubricating liquid", and a bag of grass ...
        You forgot to mention the packet of tissues.
        • You forgot to mention the packet of tissues.

          I live in a studio apartment. There's a paper towel rack on the other side of the room.

    • ya i totally agree with you.thanx for such a good info.
    • Where did TFA mention DreamHost? Their servers are in LA...?
  • Queso scan (Score:1, Funny)

    by ozmanjusri (601766)
    A queso scan identified the machines used to compromise the servers as Mac Minis...
  • Mafia spam? (Score:5, Funny)

    by Tablizer (95088) on Tuesday June 19, 2007 @12:36AM (#19560995) Homepage Journal
    As a sign of this, I just got a spam that insisted I purchase a lower mortgage, along with a photo of a horse head.
         
    • by Afecks (899057)

      As a sign of this, I just got a spam that insisted I purchase a lower mortgage, along with a photo of a horse head.

      Was it one of these? [kropserkel.com]
  • Self Preservation Society...

    "You're only supposed to blow the bloody doors off!"

  • by Animats (122034) on Tuesday June 19, 2007 @01:10AM (#19561239) Homepage

    Note that Trend Micro never uses the word "Microsoft". That's deceptive. How does Microsoft manage that? This attack depends entirely on vulnerabilities in Internet Explorer and Microsoft Media Player. It does try to attack Firefox and Opera browsers by sending them Windows Media files, but doesn't have a direct attack on either browser.

    So:

    1. Use Firefox.
    2. Go to Tools->Options->Content->Manage File Types. Go down the list, and remove or change all entries that automatically invoke Microsoft applications. (Use OpenOffice for .doc, .xls, and .ppt, maybe QuickTime for video files.)
    • by corsec67 (627446)
      Note that Trend Micro never uses the word "Microsoft".

      That is because to most people "computer" means something running Microsoft Windows. Saying that computers running Windows were involved would be like saying "the accident involved cars with internal combustion engines." That, and reporters don't really care about educating their readers, they just care about making the publication money.

      And that is my bad attempt at an automotive analogy.

    • by weicco (645927) on Tuesday June 19, 2007 @02:05AM (#19561611)

      Even simplier:

      1. Run Windows Update
      • I booted my Thinkpad into Windows the other day, and it did this automatically, and then told me I needed to reboot to complete the installation.

        I'm still trying to figure out how it managed it without being connected to a network...

    • by FudRucker (866063)
      in light of microsoft's inability to build a secure system & application and users refusal to switch to a more secure system (BSD,Linux) is about the same as refusing to get off the rail-road tracks knowing a freight-train is about to run you over...
  • What web servers are vulnerable? Been looking around but can't see anywhere anything about the type of web server being infected.
  • Tiscali? (Score:3, Informative)

    by flokemon (578389) <florence@nOSPaM.hotbox.ru> on Tuesday June 19, 2007 @04:27AM (#19562343) Homepage
    From the article:
    "Apparently, most of these sites are hosted on one of the largest Web hoster/provider in Italy."

    Why would I not be surprised if Tiscali's webservers were somehow to blame?...

  • ...mojo-rific Italian Job with Quincy Jones producing it, or the lame up-to-date any-excuse-to-sell-a-video-game version?
  • by Comboman (895500) on Tuesday June 19, 2007 @08:23AM (#19563459)
    ...I was hoping for a story about a malware attack that involved the use of Michael Caine and numerous Minis.
  • Not completely on-topic but hey, it does not warrant a full "ask slashdot" and I've been struggling with this for a couple of days now ...

    I've been hit with win32.Perlovga.A on a secondary computer through an infected USB key. That machine had no anti-virus and autorun was at that time enabled (stupid). This particular crapware saves two EXE files (copy.exe and host.exe) and an autorun.inf that executes copy.exe to the root of each volume. When the infected USB key was plugged-in, it loaded the mallware.

    I
    • Re: (Score:1, Informative)

      by Anonymous Coward
      It seems that in your situation the best approach would be to use a liveCD to remove any remenants. One possible security focused CD is http://www.inside-security.de/insert_en.html [inside-security.de]

      Ideally, this would be burned from a computer know to be unaffected.
      • Awesome!

        I haven't realized that the UBCD full comes with INSERT. Will try it out later today, thanks for the tip ;)
  • OK, I don't get it. So how exactly did this virus mess up the traffic lights in Rome?

"Trust me. I know what I'm doing." -- Sledge Hammer

Working...