Italian Job web attack spreads to other nations

Stephen Withers
Tuesday, 19 June 2007 07:25

Your IT - Home IT

Security software vendors warn that a large number of Italian web sites have been compromised and are being used to plant malware including keyloggers on visitors' computers.

The attack has become known as The Italian Job after the movies of the same name, but has spread to other countries. According to Websense, more than 10,000 sites are now infected, leading to  significant numbers of compromised PCs in Italy, Spain, the US, Germany, France, the UK, Netherlands and Switzerland.

Late last week, Symantec reported "a large-scale web attack going on in Italy" using a malicious IFRAME to redirect traffic to a domain which employs the Mpack kit to exploit vulnerable systems.

The affected sites come from a wide variety of segments, including tourism, local government and IT. According to Trend Micro, "most have been known to be relatively safe and legitimate prior to this incident."

Trend described the process in more detail. It seems that a cascade of malware is employed to install a proxy server and a keylogger. According to security vendors, at least one part of the process is browser aware in that the malware detects which browser it is running on in order to select an appropriate vulnerability for Internet Explorer, Firefox, Opera and even QuickTime. These bugs have already been eradicated by developers, so properly maintained PCs should not be at risk.

In any case, current desktop and gateway security software blocks most, if not all, of the attacks. However, Trend warns that one of the downloaders used in the process can easily be updated by the perpetrators to deliver additional capabilities.

Symantec's theory is that a vulnerability or configuration issue at a hosting provider may account for the number of compromised sites. Trend went a step further, noting that "most of these sites are hosted on one of the largest Web hoster/provider in Italy."