'Italian job' attacks pick up steam

By Shaun Nichols on Jun 19, 2007 11:50 AM
Filed under Security

GLOBAL - Ten thousand websites now unknowingly host mailicous attack.

A rash of web-based attacks that www.vnunet.com is quickly expanding and has now infected 10,000 website around the world.

When security researchers first noticed the threat, it has affected 1,000 Englished language websites that were all in .it domain for Italy. By Monday however, the attack had gone worldwide and had drawn the attention of the FBI.

The attackers behind the vulnerability use known exploits in webserver applications to post attack code on third party websites. The actual attack is carried out when a user visits a compromised site. It then redirects the user to another server that runs MPack, a web-based attack tool that delivers an exploit specially designed to target flaws in each individual user's web browser. The exploit installs spyware and a keylogger.

Traffic is bounced from the compromised sites to a server in the San Francisco Bay Area which then redirects to the attack server which is currently located in Chicago, according to Paul Ferguson, a network architect with security vendor Trend Micro.

Ferguson noted that the San Francisco server uses an IP address registered to an Hong Kong entity, and is hosted by a company that is notoriously slow in responding to complaints about illegal activities on its network. Because law enforcement is currently investigating the case, the name of the hosting service could not be disclosed.

Even though the attacks are carried out in the US, Ferguson said that the commercial status of the MPack tool makes it difficult to pinpoint the location of the criminals responsible for the attacks. The attack code sells on message boards for anywhere from US$700 to US$1000.

Whoever is responsible for the attacks did not launch them on a whim, noted Ferguson. The prevalence of affected sites, the use of a host that is known for harboring criminals, and the fact that the attack was launched at the end of the work-week are all indications that the operation was planned out extensively, he argued.

Fully patched systems however should be safe, because none of the vulnerabilities targeted by the MPack tool are zero-day flaws.

Both Trend Micro and Symantec recommend that users install all current vendor patches for both their operating systems and browsers. Trend Micro also recommends that network administrators implement both HTTP and spyware scanning systems, as well as restrict the ability of network users to load and unload device drivers.