NOW READ THIS
("Security Advisory")
Go Back
Submitted by: Bill Hickey
NCVA List Master
NRT-0218 Russian Hackers Hijack 10,000 Italian Websites:
Hackers compromised thousands of Italian web sites over the weekend of 15-17 June to redirect surfers to a server rigged with drive-by exploits. The Russian crime ring behind the WebAttacker/MPack exploit toolkit is said to be behind the attack, which uses a malicious IFRAME tag embedded into the hacked site to redirect victims to a malware-laden server. Symantec said it is uncertain how the sites were originally hacked, but suspecteed a common vulnerability or configuration problem at the hosting level. By Friday night 15JUN, Symantec had pegged the number of compromised sites feeding Mpack exploits at 6,000; by 19JUN, Websense said it had tracked more than 10,000. The sites at risk cover a wide range of internet interests - from cars and racing, hotels, sports, music, lottery, and pornography. According to Trend Micro, "most have been known to be relatively safe and legitimate prior to this incident," and "most of these sites are hosted on one of the largest Web hoster/providers in Italy." Initially dubbed the "Italian Job," the attack has since infected PCs in Italy, Spain, the US, Germany, France, the UK, Netherlands, and Switzerland. The MPack exploit kit used in this attack contains a stats counter that spells out indetail the types of exploits used, the number of compromised computers and types of broswers used by the victim. Trend said that during the attack, a cascade of malware is employed to install a proxy server and a keystroke logger. According to security vendors, at least one part of the process is "browser-aware" in that the malware detects which browser it is runnin on in order to select an appropriate vulnerability for Internet Explorer, Firefox, Opera, and even QuickTime. However, the article noted that the exploits are targeting vulnerabilities for which patches are already available.
(blogs.zdnet.com 19JUN07; www.computerworld.com.au 19JUN07; www.itwire.com.au 19JUN07)
Last Modified: Saturday, 21-Jul-2007 10:16:39 EDT