Italian Job: The launch of a new attack

Saturday, June 16, 2007 was a quiet day, but all over the world of computer virus detection and research, people were hard at work, fighting what well may be the herald of a whole new era in malicious criminal behaviour.


A program called MPACK was involved, but only as the framework of the delivery system. The MPACK kit was used to corrupt web pages and web servers in such a way that they could be used to deliver a Trojan downloader to any unsuspecting visitor.

Just visiting such a corrupted site was enough to infect the user. And once infected, the users computer was pwned. Perhaps the oddest thing about this attack, which we called The Italian Job was that there was really nothing new about it. It used several off the shelf malware components, some of them months old.

In the past, virus outbreaks were always associated with a new viral program (or a new version of an old program sufficiently modified to require new protection) today it’s not so clear. For one thing, we are no longer talking about viruses.

Today the fresh outbreak might well be a new use of an existing malicious schema. The very oddest thing about this is that the criminals causing this buy the components for an attack in a ready to go software kit.

By Saturday morning, we had seen more than eleven hundred infected systems. By Sunday night it was sixteen and by mid day Monday reports ranged from three thousand infected servers to as many as ten thousand servers. These were not how many end users were infected, but were the actual sources of infection. The actual number of pwned computers might run much higher….thousands of times higher.

The name is derived from the fact that all of the initial affected servers were located in Italy (in fact, they were all located at a single hosting service) this later spread to servers in Spain, France and the UK.

The fact that the initial spread was derived from a single hosting service shows some sophistication on the part of the gang involved. Rather than hand attack servers one by one, they find a common infrastructure shared by all the servers and creep through it, as through the air conditioning ducts of a shopping mall, dropping into one web server after another with little chance of getting caught or blocked.

Look for more of this technique in the coming months. It does have an Achilles heel; however, all of the infected sites could be frozen out at the source, by the drastic measure of shutting down the hosting service. This was not needed in this particular attack, but might be more important in the future.

So the code is not new, the attack vector is not new (among other things, MPACK uses IFRAME vulnerabilities) and even the payload is pretty much standard fare. (The Italian Job delivered a Trojan downloader and a keylogger, standard cyber crime items) Why was this of interest? This was the first large scale use of a Web-based attack, and it has already been duplicated only a few days later.

Also, this group of miscreants had covered their bases. The Italian Job contained exploits designed for Internet Explorer, Mozilla Firefox, Opera, and even Java Script and WinZIP. There were enough tools to infect a sizable percentage of unwitting web surfers.

But is this one group of criminals? In reality, this is not reflective of a single person or single group of people at all. It takes a village to grab your computer.

First, the infection components (including the MPack kit, the Trojan payload, and various add on components) are built by various programmers, and then offered for sale by an ethically challenged reseller, located in Russia.

Next, the purchaser of these virtual lock picks, jimmy bars and rigged dice need to identify a targeted means of distribution, and plant the assembled threat (some tinker toy assembly of the kit, with perhaps some customisation) onto the selected website(s) this may and or may not involve a break-in (virtual or real) an inside job (ditto) or even some kind of automated tool for injecting this bad stuff into each web server in turn. We have not yet identified this group for the Italian Job.

Once the web servers are infected, end users are redirected to an IP address in apparently located in Hong Kong, but actually in the city of San Francisco.

This is an attempt to further hide the identity of the gang involved. Other downloads appear to come from Chicago, but are actually located in SF as well. This is done through an IFRAME exploit, and infected machines first become infected with the Trojan downloader, (TROJ_SMALL.HCK, later leading to a second, larger downloader, TROJ_PAKES.NC) and then with the keylogger.

(TSPY_SINOWAL.BJ) This is a long-standing malware technique, sending a tiny Trojan to download its own bigger brother. The keylogger is hosted from a server in Panama, but the server is registered to an owner in the Ukraine. The Italian Job is a world wide threat on the world wide web.

Once a victim has all this bad stuff on their computer, the criminals can use the keylogger to steal passwords, credit card information and more. What’s even worse is the continuing presence of the downloader. A system containing a downloader can be reconfigured from anywhere in the world to do just about anything.

The web is currently a less than safe place for computer users, and yet it continues to grow as a centre for banking, for commerce, and certainly for crime.

The rise of Web 2.0 is even less safe, trusting unknown users to provide html, video, audio, blog entries and web links, when all of these things are corruptible. The greatest of Web 2.0 sites are already home to their own flavors of specific web threats.

But the Italian Job infected thousands of ordinary, trusted websites. Sites from travel agencies, hotels, tour companies, charities and even some sites from the Italian government were affected.

It is unknown how many end users were affected, but traffic was not high over the weekend, and cleanup was well underway by first thing Monday morning. So, this first wave was reduced in importance to a minor threat.

And then came SKIN JOB. First cousin to the Italian Job, this attack was so named because it used servers in the pornography trade. It used fewer servers (around 300 is the most quoted number) but it threatened many more people, due to the larger amount of traffic these sites attract.

It would be easy to dismiss this as the due comeuppance to those who patronise porn, but the world does not need thousands more computers under the control of criminal gangs.

Zombie computers are actually used to attack yet other people, with spam, with phishing, with denial of service attacks, with credit card theft and so much more. The loss of anyone’s computer security, in the long run, diminishes us all.

The Skin Job servers all had a common connection to a single mpeg hosting service, so again they were connected via infrastructure. They were located all over Central and Eastern Europe.

Like the earlier attack there was no unique software, the only innovation was in the effectiveness of corrupting such a large group of servers almost instantly, and the sophistication of the attack strategy.

This is almost certainly the work of organised crime, of criminal gangs. These are the first attacks of such a size and sophistication to draw international attention at this level.

None of these attacks are anywhere near as large as the virus attacks in the old days. A self-replicating virus left unchecked could (and did) infect millions of computers in only a few days (in some cases, a few hours) but these new attacks mean business.

That keylogger component intends to steal your passwords, your credit card number, and your very identity. The Trojan downloader virtually puts your computer in very real risk of being collected with other such computers and sold in a secret auction as a botnet, and thence to be remotely reprogrammed for some criminal enterprise.

Users should follow all the standard security advice. Get and use an integrated Internet security program. Update all your OS and applications (particularly your browser). Using one of the new ‘web site rating’ programs would tell you that a site was bad, but you would be infected anyway. If you suspect anything at all, run a scan at HouseCall to act as a second opinion on your normal virus scanner.

By David Perry (with thanks to Jamz Yaneza)
Global Director of Education
Trend Micro, Inc.

attackitalianjoblaunchnewofsecuritythevector