Over the weekend in Italy, a number of legitimate English-language Italian Web pages fell victim to malicious code that was able to plant a keylogger to steal user passwords, or even to turn computers into proxy servers for various other attacks.
It was Trend Micro, a network antivirus and content security company who announced this accelerating infection. Trend Micro researchers have even termed this as the “Italian Job” because a majority of the infected pages were hosted in Italy.
The company has also pointed out that thousands of Internet users worldwide have already accessed compromised URLs in oblivion, as a result of their day-to-day Web surfing activities.
According to David Perry, global director of education for Trend Micro, the infection vendor “was built from a kit sold commercially in Russia.”
The initial HTML malware takes advantage of vulnerability in so-called “iFrames” that are commonly used on websites and commonly exploited.
On the IP page where the affected browser is initially redirected, the malware toolkit statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the host from where the download chain begins.
Basically, the spreading mechanism is very complex and relies on Web site owners being unaware that they are compromised, as well as Web site users being unaware that surfing through seemingly legitimate pages can actually be a part of the infection process, which takes place as follows:
Trend Micro has warned home users to follow these steps:
Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running.
Trend Micro said that it is currently working with the FBI to catch the perpetrators.