Called the "Italian Job" by Trend Micro researchers because a great majority of the infected pages are hosted in Italy, the Trojan downloads a keylogger designed to steal banking and other confidential information through a wide range of web-infection downloads.
David Perry, global director of education for Trend Micro, said the infection vector "was built from a kit sold commercially in Russia."
The original attack came "from Hong Kong, [but the hackers] set up a server in San Francisco that relays to one in Chicago," said Perry. "The infected websites are taken over to the point where they're owned by whomever the hackers are."
According to Trend Micro, tens of thousands of unaware users have already accessed compromised web pages, infecting their systems with the Trojan. The downloaded malware takes advantage of a vulnerability in so-called " iFrames " that are commonly used and exploited on websites.
Perry said the Trojan is "an automated tool that looks for not just one but any number of vulnerabilities" on systems visiting the infected pages.
The impacted web pages "have also been infected using vastly different methods, and not having our hands on the tool or automated process, we don't know what it's limited to," he added.
The fact that the perpetrators are stealing personal information points out that they "definitely have criminal intent" in mind, added Perry.
Trend Micro said it is working with the FBI to catch the perpetrators.
Both Trend Micro and Websense said users of their respective anti-virus products are protected against the exploit. Trend Micro said its HouseCall offers a free online scan that can detect the Trojan and repair infected systems.
'Italian Job' Trojan infecting thousands of servers, end-user PCs
By Jim Carr on Jun 19, 2007 9:33AM