Attackers are using known exploits in web server applications to post attack code on third-party websites

'Italian job' attacks spread worldwide

10,000 websites now hosting malicious attack code

Written by Shaun Nichols in California

vnunet.com, 19 Jun 2007

A coordinated series of web-based attacks that began last week in Italy is quickly expanding and has now infected 10,000 websites around the world.

When security researchers first noticed the threat, it has affected 1,000 English language websites with the Italian '.it' domain. By Monday, however, the attack had gone worldwide and had drawn the attention of the FBI.

The attackers are using known exploits in web server applications to post attack code on third-party websites. The actual attack is carried out when a user visits a compromised site.

The site redirects the user to another server that runs MPack, a web-based attack tool that delivers an exploit specially designed to target flaws in each user's web browser. The exploit installs spyware and a key-logger.

Traffic is bounced from the compromised sites to a server in the San Francisco area which then redirects to the attack server which is currently located in Chicago, according to Paul Ferguson, a network architect at security vendor Trend Micro.

Ferguson noted that the San Francisco server uses an IP address registered to a Hong Kong entity, and is hosted by a company that is notoriously slow in responding to complaints about illegal activities on its network.

Because law enforcement is currently investigating the case, the name of the hosting service could not be disclosed.

Even though the attacks are carried out in the US, Ferguson said that the commercial status of the MPack tool makes it difficult to pinpoint the location of the criminals responsible.

The attack code sells on message boards for anywhere from $700 to $1,000.

Whoever is responsible for the attacks did not launch them on a whim, according to Ferguson.

The prevalence of affected sites, the use of a host known to harbour criminals, and the attack being launched at the end of the working week are all indications that the operation was planned, he argued.

Fully patched systems should be safe, because none of the vulnerabilities targeted by the MPack tool is a zero-day flaw.

Trend Micro and Symantec have urged users to install all current vendor patches for operating systems and browsers.

Trend Micro also recommends that network administrators implement HTTP and spyware scanning systems, as well as restrict the ability of network users to load and unload device drivers.