'Italian job' attacks pick up steam

By on
'Italian job' attacks pick up steam

GLOBAL - Ten thousand websites now unknowingly host mailicous attack.

A rash of web-based attacks that www.vnunet.com is quickly expanding and has now infected 10,000 website around the world.

When security researchers first noticed the threat, it has affected 1,000 Englished language websites that were all in .it domain for Italy. By Monday however, the attack had gone worldwide and had drawn the attention of the FBI.

The attackers behind the vulnerability use known exploits in webserver applications to post attack code on third party websites. The actual attack is carried out when a user visits a compromised site. It then redirects the user to another server that runs MPack, a web-based attack tool that delivers an exploit specially designed to target flaws in each individual user's web browser. The exploit installs spyware and a keylogger.

Traffic is bounced from the compromised sites to a server in the San Francisco Bay Area which then redirects to the attack server which is currently located in Chicago, according to Paul Ferguson, a network architect with security vendor Trend Micro.

Ferguson noted that the San Francisco server uses an IP address registered to an Hong Kong entity, and is hosted by a company that is notoriously slow in responding to complaints about illegal activities on its network. Because law enforcement is currently investigating the case, the name of the hosting service could not be disclosed.

Even though the attacks are carried out in the US, Ferguson said that the commercial status of the MPack tool makes it difficult to pinpoint the location of the criminals responsible for the attacks. The attack code sells on message boards for anywhere from US$700 to US$1000.

Whoever is responsible for the attacks did not launch them on a whim, noted Ferguson. The prevalence of affected sites, the use of a host that is known for harboring criminals, and the fact that the attack was launched at the end of the work-week are all indications that the operation was planned out extensively, he argued.

Fully patched systems however should be safe, because none of the vulnerabilities targeted by the MPack tool are zero-day flaws.

Both Trend Micro and Symantec recommend that users install all current vendor patches for both their operating systems and browsers. Trend Micro also recommends that network administrators implement both HTTP and spyware scanning systems, as well as restrict the ability of network users to load and unload device drivers.
Copyright ©v3.co.uk
Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?