“Italian Job”, the Fastest Widespread Malicious Web Attack Worldwide, warns Trend Micro

Trend Micro's Diagram of Italian Job

Over the weekend in Italy, a number of legitimate English-language Italian Web pages fell victim to malicious code that was able to plant a keylogger to steal user passwords, or even to turn computers into proxy servers for various other attacks.

It was Trend Micro, a network antivirus and content security company who announced this accelerating infection. Trend Micro researchers have even termed this as the “Italian Job” because a majority of the infected pages were hosted in Italy.

The company has also pointed out that thousands of Internet users worldwide have already accessed compromised URLs in oblivion, as a result of their day-to-day Web surfing activities.

According to David Perry, global director of education for Trend Micro, the infection vendor “was built from a kit sold commercially in Russia.”

The initial HTML malware takes advantage of vulnerability in so-called “iFrames” that are commonly used on websites and commonly exploited.

On the IP page where the affected browser is initially redirected, the malware toolkit statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the host from where the download chain begins.

Basically, the spreading mechanism is very complex and relies on Web site owners being unaware that they are compromised, as well as Web site users being unaware that surfing through seemingly legitimate pages can actually be a part of the infection process, which takes place as follows:

  • First-level URLs are the compromised or hacked legitimate websites. They are legitimate websites primarily Italian and mostly advertising local services for tourism, hotels, auto-services, music, lotto and so on.
  • These websites were hacked and a malicious IP address (HTML_IFRAME.CU) is inserted or injected into the HTML code of the legitimate website so that users will be redirected to another site with a Javascript downloader (JS_DLOADER.NTJ). These are the second and third level URLs, and Trend Micro can block the downloader.
  • This third-level URL in turn downloads another Trojan into the target system from another fourth-level URL. This is the URL for TROJ_SMALL.HCK, which Trend Micro can also block.
  • The Trojan in turn downloads two additional Trojans from two different fifth-level URLs. These are the URLs for TROJ_AGENT.UHL and TROJ_PAKES.NC, both of which Trend Micro can block.
  • The PAKES Trojan then downloads an information stealer, a variant of the SINOWAL trojan, from another sixth-level URL
  • This weekend’s attack is the second time such an attack has exploited a number of legitimate Italian Web sites to spread malicious JavaScripts.

    Trend Micro has warned home users to follow these steps:

  • Beware of pages that require software installation. Do not allow new software installation from your browser unless you absolutely trust both the Web page and the provider of the software.
  • Scan with an updated antivirus and anti-spyware software any program downloaded through the Internet. This includes any downloads from P2P networks, through the Web and any FTP server regardless of the source.
  • Beware of unexpected strange-looking emails, regardless of their sender. Never open attachments or click on links contained in these email messages.
  • Enable the “Automatic Update” feature in your Windows operating system and apply new updates as soon as they are available.
    Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running.
  • Trend Micro said that it is currently working with the FBI to catch the perpetrators.