Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Pulls an "Italian Job"

Posted by kdawson on from the blame-italy dept.

A number of readers sent us word about a malware attack that has been underway since Saturday that began with the compromise of more than 1,100 mostly Italian Web sites. Websense claims that more than 10,000 sites have been infected by now, 80% of them in Italy. There are indications that most of the Italian sites are resident at the same large Italian hosting provider. Trend Micro reports on the attack, which is launched from a malicious Iframe tag inserted into pages on compromised sites. For visitors to these sites, this begins a cascade of "drive-by" malware downloads if one of several targeted vulnerabilities is available and unpatched. The first page to which visitors are redirected by the Iframe hosts a recent version of Mpack attack software. Panda has a month-old report on Mpack (PDF) that provides copious detail about its nefarious ways.

12 of 133 comments (clear)

  1. Re: Viruses/Viri/Virii by beav007 · · Score: 5, Informative
    From http://en.wikipedia.org/wiki/Virii:

    In the English language, the standard plural of virus is viruses. This is the most frequently occurring form of the plural, and refers to both a biological virus and a computer virus.

    The less frequent variations viri and virii are virtually unknown in edited prose, and no major dictionary recognizes them as alternative forms. Their occurrence can be variously attributed to hypercorrection formed by analogy to Latin plurals such as alumni or false analogy to Latin plurals such as radii; idiosyncratic use as jargon among a group, such as computer hackers; and deliberate word play, such as on BBSs (see, e.g.: leet).

    Yes, viri/virii is incorrect (for now), but when the vast majority of us don't RTFA (or can't, due to the /. effect), you can hardly expect people to figure it out all on their own ;)
  2. Re:I wish they'd count "servers" and not "sites" by antic · · Score: 5, Informative

    A big, usually decent hosting company in the US that I use was getting done over by this - I had 10-20 sites infiltrated over a period of a few weeks, in 2-3 waves using two slightly different techniques. The host denied any responsibility or knowledge, saying that poor FTP passwords were the entry point. My computer was not the issue as those sites hacked were all on this host - no sites on any of the other 5 or more hosts I use were impacted, regardless of the strength of their passwords.

    Trivial passwords (single English word of five characters) were guessed as well as slightly more complicated ones (non-English words, eight characters, random numbers inserted).

    It appeared to me that were the host NOT the problem, that bots might have been guessing the passwords through brute force? I searched the net seeing if I could find more information about these attacks, but there wasn't much out there, especially given that there wasn't much to search on besides the fact that they used an IFRAME or JavaScript DeCode function, and a probably random set of IP addresses.

    Anyone know more about it all?

    --
    'Thats they exact same thing a banana wrench monkey.'
  3. Re:Why do they never come right out and say... by 1u3hr · · Score: 4, Informative
    Regardless of scoring points in the OS/browser pissing competitions, I'd just like to know what OS and browser are vulnerable, so I know whether I personally have to worry about this.

    The summary and linked articles don't even say that. Only Panda's MPack report, a dozen pages in, starts to list the actual vulnerabilities targetted. Which are IE, WMP and one Opera bug. However, the malware is actually modular in which new vulnerabilities can be plugged in, so this isn't static, and they say new versions come out about once a month.

    Nevertheless, unless the WMP vulnerability works on multiple browsers, it's just Windows IE (duh) and Opera. No mention of Linux, Mac or Firefox I saw.

  4. Re: Viruses/Viri/Virii by Belacgod · · Score: 2, Informative

    Actually, the Latin word for "man" is Vir, not Virus.

  5. It's all Microsoft vulnerabiltiies by Animats · · Score: 5, Informative

    Note that Trend Micro never uses the word "Microsoft". That's deceptive. How does Microsoft manage that? This attack depends entirely on vulnerabilities in Internet Explorer and Microsoft Media Player. It does try to attack Firefox and Opera browsers by sending them Windows Media files, but doesn't have a direct attack on either browser.

    So:

    1. Use Firefox.
    2. Go to Tools->Options->Content->Manage File Types. Go down the list, and remove or change all entries that automatically invoke Microsoft applications. (Use OpenOffice for .doc, .xls, and .ppt, maybe QuickTime for video files.)
  6. Re: Viruses/Viri/Virii by Anonymous Coward · · Score: 4, Informative
    Vir means man. Its plural is viri. Virus is a different word, a rare 2nd declension neuter, meaning (among other nasty things) 'poison'. It has no plural.

    But I agree with you, virii is both bad English and bad Latin.

  7. Defacements.... by DrYak · · Score: 3, Informative

    Look into any defacement reporting site (such as zone-h.org) and look at the numbers. They vary every day, but ion average about 60% of the defacements are for linux boxes. So there you have.


    What the parent poster talked about was the very low amount of Apache-targeting viruses and exploits compared to those targeting IIS. Apache is the most widespread server software, but IIS is the one that gets most viruses.

    And most of the time this kind of vector is used as described in current article : as a way to get control on machine to distribute malware and/or be used in a botnet.

    Whereas, what you speak about - defacement - is done in most of the case, by stupid script kiddies who just use some random tool to exploits bugs (either remote execution or SQL injections) found in common PHP script (forum engines, etc.), it is mostly server independent. Apache or IIS doesn't matter as long as poor script code is present with known vulnerability. Therefore, you're very likely to find that the defacement frequence follows closely the market share of the servers.

    Most of the time, the script kiddie just put "I am teh 1337 r0xx0rs !" in the front page. You can't do much with a compromised script (you can't start a IRC server, put a zombie bot, a full mail server for spitting spam or use it as a starting point to infect other servers in the vicinity).
    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  8. Re:Why do they never come right out and say... by und0 · · Score: 2, Informative

    Defacements are usually done exploiting poor coded PHP applications, not exploiting Apache bugs, FWIK...

  9. Tiscali? by flokemon · · Score: 2, Informative

    From the article:
    "Apparently, most of these sites are hosted on one of the largest Web hoster/provider in Italy."

    Why would I not be surprised if Tiscali's webservers were somehow to blame?...

    1. Re:Tiscali? by digitaldruid · · Score: 2, Informative

      Yes, it appears to be aruba (very popular in Italy and a little less in Spain) and according to this thread http://community.aruba.it/forums/ultimatebb.php?ub b=get_topic;f=58;t=000218 the affected sites are on IIS (you can choose between windows/IIS or linux/apache hosting).

  10. Re:Why do they never come right out and say... by bl8n8r · · Score: 3, Informative

    Looks like Windows*. No really. Yes again.

    " 1) A Trojanised WMF File (Downloader)
        2) ActiveX/OCX File (dropper)
        The downloaded malware, when executed, installs
        1) A rootkit "

    Most of the world is in denial about the whole security issue surrounding
    Windows. Even some of the postage on /. is quite alarming. People don't
    *want* to know, that's why they don't post it.

    [*] - http://blog.trendmicro.com/italian-job-vs-italian- bizness/

    --
    boycott slashdot February 10th - 17th check out: altSlashdot.org
  11. Re:A malware question to the comunity by Anonymous Coward · · Score: 1, Informative

    It seems that in your situation the best approach would be to use a liveCD to remove any remenants. One possible security focused CD is http://www.inside-security.de/insert_en.html

    Ideally, this would be burned from a computer know to be unaffected.