Trend Micro Incorporated announced the accelerating infection over the weekend in Italy of seemingly legitimate web pages loaded with malicious code that could plant a keylogger to steal user passwords, or turn computers into proxy servers for various other attacks. Trend Micro data indicates that tens of thousands of users worldwide have already accessed compromised urls, oblivious to the threat as a result of their natural web surfing activity. The initial HTML malware takes advantage of a vulnerability in so-called "iFrames" that are commonly used on websites and commonly exploited. Trend Micro researchers believe it was initially probably an automated attack, created from a computer Trojan-making kit called Mpack.

On the IP page where the affected browser is initially redirected, the Mpack malware toolkit statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the Mpack host from where the download chain begins.

Currently, Trend Micro HouseCall (www.trendmicro.com/housecall) can detect and clean infected computers, and Trend Micro™ Internet Security as well as OfficeScan™ 8.0 can be used to block or to clean the variety of Trojans and malware involved in the infection sequence. Trend Micro gateway products also provide blocking capability. Trend Micro’s ability to protect against these attacks is aided by the company’s innovative Total Web Threat Protection strategy.

The spreading mechanism is a complex chain, but it relies on website owners being unaware that they are compromised, and website users being unaware that surfing through seemingly legitimate pages can actually be part of an infection process:

1) First-level URLs are the compromised or hacked legitimate websites. They are legitimate websites primarily Italian and mostly advertising local services for tourism, hotels, auto-services, music, lotto and so on.

2) These websites were hacked and a malicious IP address (HTML_IFRAME.CU) is inserted or injected into the HTML code of the legitimate website so that users will be redirected to another site with a Javascript downloader (JS_DLOADER.NTI). These are the second and third level URLs, and Trend Micro can block the downloader.

3) This third-level URL in turn downloads another Trojan into the target system from another fourth-level URL. This is the URL for TROJ_SMALL.HCK, which Trend Micro can also block.

4) The Trojan in turn downloads two additional Trojans from two different fifth-level URLs.These are the URLs for TROJ_AGENT.UHL and TROJ_PAKES.NC, both of which Trend Micro can block.

5) The PAKES Trojan then downloads an information stealer, a variant of the SINOWAL trojan, from another sixth-level URL

Once the user visits any of the said Web sites, the affected computer is directed to another IP address that contains the malicious JavaScript detected by Trend Micro as JS_DLOADER.NTJ. This JavaScript then downloads a new member in the infection series detected as TROJ_SMALL.HCK. Trying to cause a buffer overflow on the user’s Internet browser, JS_DLOADER.NTJ exploits browser vulnerabilities. Through this, it is able to download TROJ_SMALL.HCK. On initial testing, TrendLabs researchers observed that this malicious JavaScript appears to be “browser-aware” in that it can choose which vulnerability to take advantage of depending on the browser.

TROJ_SMALL.HCK, in turn, downloads TROJ_AGENT.UHL and TROJ_PAKES.NC. TROJ_AGENT.UHL can act as a proxy server that allows a remote user to anonymously connect to the Internet via an infected computer. TROJ_PAKES.NC, on the other hand, is dumped in the user’s temporary folder and downloads the keylogging information thief TSPY_SINOWAL.BJ.

This weekend’s attack is the second time such an attack has exploited a number of legitimate Italian Web sites to spread malicious JavaScripts.

Trend Micro  

     Next article >

June 2007