trend micro warns of fast-moving web threat spreading from thousands of compromised web domains and urls in italy and around the world
Latest web-idemic discovered this weekend relies on common website "iFrame" vulnerability to inject malicious code into otherwise legitimate websites
Trend Micro Incorporated (TSE: 4704), a leader in network antivirus and content security software and services, today announced the accelerating infection over the weekend in Italy of seemingly legitimate web pages loaded with malicious code that could plant a keylogger to steal user passwords, or turn computers into proxy servers for various other attacks.
Trend Micro data indicates that tens of thousands of users worldwide have already accessed compromised urls, oblivious to the threat as a result of their natural web surfing activity. The initial HTML malware takes advantage of a vulnerability in so-called "iFrames" that are commonly used on websites and commonly exploited. Trend Micro researchers believe it was initially probably an automated attack, created from a computer Trojan-making kit.
On the IP page where the affected browser is initially redirected, the malware toolkit statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the host from where the download chain begins.
The initial outbreak infected visitors to thousands of largely legitimate websites based in Italy, causing problems worldwide. “The Middle East has experienced rapid uptake of web use and access to computers, yet awareness of web threats has lagged some way behind,” said Justin Doo, Managing Director, Trend Micro Middle East and Africa. “At times like this computer users in the region are particularly vulnerable.”
Currently, Trend Micro HouseCall (www.trendmicro.com/housecall) can detect and clean infected computers, and Trend Micro™ Internet Security as well as OfficeScan™ 8.0 can be used to block or to clean the variety of Trojans and malware involved in the infection sequence. Trend Micro gateway and mail server products also provide blocking capability. Trend Micro’s ability to protect against these attacks is aided by the company’s innovative Total Web Threat Protection strategy.
“While apparently localized to Italian websites, this threat would have struck anyone visiting them – therefore it is a worldwide phenomenon,” said Justin Doo, Managing Director, Trend Micro Middle East and Africa. “We’re speculating that the reason they were mainly Italian is due to where they were hosted – this could have happened anywhere with vulnerable internet service providers,” he added.
The spreading mechanism is a complex chain, but it relies on website owners being unaware that they are compromised, and website users being unaware that surfing through seemingly legitimate pages can actually be part of an infection process:
1) First-level URLs are the compromised or hacked legitimate websites. They are legitimate websites primarily Italian and mostly advertising local services for tourism, hotels, auto-services, music, lotto and so on.
2) These websites were hacked and a malicious IP address (HTML_IFRAME.CU) is inserted or injected into the HTML code of the legitimate website so that users will be redirected to another site with a Javascript downloader (JS_DLOADER.NTJ). These are the second and third level URLs, and Trend Micro can block the downloader.
3) This third-level URL in turn downloads another Trojan into the target system from another fourth-level URL. This is the URL for TROJ_SMALL.HCK, which Trend Micro can also block.
4) The Trojan in turn downloads two additional Trojans from two different fifth-level URLs.These are the URLs for TROJ_AGENT.UHL and TROJ_PAKES.NC, both of which Trend Micro can block.
5) The PAKES Trojan then downloads an information stealer, a variant of the SINOWAL trojan, from another sixth-level URL
Once the user visits any of the said Web sites, the affected computer is directed to another IP address that contains the malicious JavaScript detected by Trend Micro as JS_DLOADER.NTJ. This JavaScript then downloads a new member in the infection series detected as TROJ_SMALL.HCK. Trying to cause a buffer overflow on the user’s Internet browser, JS_DLOADER.NTJ exploits browser vulnerabilities. Through this, it is able to download TROJ_SMALL.HCK. On initial testing, TrendLabs researchers observed that this malicious JavaScript appears to be “browser-aware” in that it can choose which vulnerability to take advantage of depending on the browser.
TROJ_SMALL.HCK, in turn, downloads TROJ_AGENT.UHL and TROJ_PAKES.NC. TROJ_AGENT.UHL can act as a proxy server that allows a remote user to anonymously connect to the Internet via an infected computer. TROJ_PAKES.NC, on the other hand, is dumped in the user’s temporary folder and downloads the keylogging information thief TSPY_SINOWAL.BJ.
This weekend’s attack is the second time such an attack has exploited a number of legitimate Italian Web sites to spread malicious JavaScripts.
