Malware Pulls an "Italian Job" 133
A number of readers sent us word about a malware attack that has been underway since Saturday that began with the compromise of more than 1,100 mostly Italian Web sites. Websense claims that more than 10,000 sites have been infected by now, 80% of them in Italy. There are indications that most of the Italian sites are resident at the same large Italian hosting provider. Trend Micro reports on the attack, which is launched from a malicious Iframe tag inserted into pages on compromised sites. For visitors to these sites, this begins a cascade of "drive-by" malware downloads if one of several targeted vulnerabilities is available and unpatched. The first page to which visitors are redirected by the Iframe hosts a recent version of Mpack attack software. Panda has a month-old report on Mpack (PDF) that provides copious detail about its nefarious ways.
Re: Viruses/Viri/Virii (Score:5, Informative)
Yes, viri/virii is incorrect (for now), but when the vast majority of us don't RTFA (or can't, due to the
Re:I wish they'd count "servers" and not "sites" (Score:5, Informative)
Trivial passwords (single English word of five characters) were guessed as well as slightly more complicated ones (non-English words, eight characters, random numbers inserted).
It appeared to me that were the host NOT the problem, that bots might have been guessing the passwords through brute force? I searched the net seeing if I could find more information about these attacks, but there wasn't much out there, especially given that there wasn't much to search on besides the fact that they used an IFRAME or JavaScript DeCode function, and a probably random set of IP addresses.
Anyone know more about it all?
Re:Why do they never come right out and say... (Score:5, Informative)
The summary and linked articles don't even say that. Only Panda's MPack report, a dozen pages in, starts to list the actual vulnerabilities targetted. Which are IE, WMP and one Opera bug. However, the malware is actually modular in which new vulnerabilities can be plugged in, so this isn't static, and they say new versions come out about once a month.
Nevertheless, unless the WMP vulnerability works on multiple browsers, it's just Windows IE (duh) and Opera. No mention of Linux, Mac or Firefox I saw.
Re: Viruses/Viri/Virii (Score:2, Informative)
It's all Microsoft vulnerabiltiies (Score:5, Informative)
Note that Trend Micro never uses the word "Microsoft". That's deceptive. How does Microsoft manage that? This attack depends entirely on vulnerabilities in Internet Explorer and Microsoft Media Player. It does try to attack Firefox and Opera browsers by sending them Windows Media files, but doesn't have a direct attack on either browser.
So:
Re: Viruses/Viri/Virii (Score:4, Informative)
But I agree with you, virii is both bad English and bad Latin.
Defacements.... (Score:4, Informative)
What the parent poster talked about was the very low amount of Apache-targeting viruses and exploits compared to those targeting IIS. Apache is the most widespread server software, but IIS is the one that gets most viruses.
And most of the time this kind of vector is used as described in current article : as a way to get control on machine to distribute malware and/or be used in a botnet.
Whereas, what you speak about - defacement - is done in most of the case, by stupid script kiddies who just use some random tool to exploits bugs (either remote execution or SQL injections) found in common PHP script (forum engines, etc.), it is mostly server independent. Apache or IIS doesn't matter as long as poor script code is present with known vulnerability. Therefore, you're very likely to find that the defacement frequence follows closely the market share of the servers.
Most of the time, the script kiddie just put "I am teh 1337 r0xx0rs !" in the front page. You can't do much with a compromised script (you can't start a IRC server, put a zombie bot, a full mail server for spitting spam or use it as a starting point to infect other servers in the vicinity).
Re:Why do they never come right out and say... (Score:2, Informative)
Tiscali? (Score:3, Informative)
"Apparently, most of these sites are hosted on one of the largest Web hoster/provider in Italy."
Why would I not be surprised if Tiscali's webservers were somehow to blame?...
Re:Tiscali? (Score:2, Informative)
Re:Why do they never come right out and say... (Score:4, Informative)
" 1) A Trojanised WMF File (Downloader)
2) ActiveX/OCX File (dropper)
The downloaded malware, when executed, installs
1) A rootkit "
Most of the world is in denial about the whole security issue surrounding
Windows. Even some of the postage on
*want* to know, that's why they don't post it.
[*] - http://blog.trendmicro.com/italian-job-vs-italian
Re:A malware question to the comunity (Score:1, Informative)
Ideally, this would be burned from a computer know to be unaffected.