CUPERTINO, Calif., June 18 /PRNewswire-FirstCall/ -- Trend Micro Incorporated , a leader in network antivirus and content security software and services, today announced the accelerating infection over the weekend in Italy of seemingly legitimate web pages loaded with malicious code that could plant a keylogger to steal user passwords, or turn computers into proxy servers for various other attacks. Trend Micro data indicates that tens of thousands of users worldwide have already accessed compromised urls, oblivious to the threat as a result of their natural web surfing activity. The initial HTML malware takes advantage of a vulnerability in so-called "iFrames" that are commonly used on websites and commonly exploited. Trend Micro researchers believe it was initially probably an automated attack, created from a computer Trojan-making kit.
On the IP page where the affected browser is initially redirected, the malware toolkit statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the host from where the download chain begins.
Currently, Trend Micro HouseCall (http://www.trendmicro.com/housecall) can detect and clean infected computers, and Trend Micro(TM) Internet Security as well as OfficeScan(TM) 8.0 can be used to block or to clean the variety of Trojans and malware involved in the infection sequence. Trend Micro gateway and mail server products also provide blocking capability. Trend Micro's ability to protect against these attacks is aided by the company's innovative Total Web Threat Protection strategy.
The spreading mechanism is a complex chain, but it relies on website owners being unaware that they are compromised, and website users being unaware that surfing through seemingly legitimate pages can actually be part of an infection process:
1) First-level URLs are the compromised or hacked legitimate websites. They are legitimate websites primarily Italian and mostly advertising local services for tourism, hotels, auto-services, music, lotto and so on.
2) These websites were hacked and a malicious IP address (HTML_IFRAME.CU) is inserted or injected into the HTML code of the legitimate website so that users will be redirected to another site with a Javascript downloader (JS_DLOADER.NTJ). These are the second and third level URLs, and Trend Micro can block the downloader.
3) This third-level URL in turn downloads another Trojan into the target system from another fourth-level URL. This is the URL for TROJ_SMALL.HCK, which Trend Micro can also block.
4) The Trojan in turn downloads two additional Trojans from two different fifth-level URLs. These are the URLs for TROJ_AGENT.UHL and TROJ_PAKES.NC, both of which Trend Micro can block.
5) The PAKES Trojan then downloads an information stealer, a variant of the SINOWAL trojan, from another sixth-level URL
Once the user visits any of the said Web sites, the affected computer is directed to another IP address that contains the malicious JavaScript detected by Trend Micro as JS_DLOADER.NTJ. This JavaScript then downloads a new member in the infection series detected as TROJ_SMALL.HCK. Trying to cause a buffer overflow on the user's Internet browser, JS_DLOADER.NTJ exploits browser vulnerabilities. Through this, it is able to download TROJ_SMALL.HCK. On initial testing, TrendLabs researchers observed that this malicious JavaScript appears to be "browser-aware" in that it can choose which vulnerability to take advantage of depending on the browser.
TROJ_SMALL.HCK, in turn, downloads TROJ_AGENT.UHL and TROJ_PAKES.NC. TROJ_AGENT.UHL can act as a proxy server that allows a remote user to anonymously connect to the Internet via an infected computer. TROJ_PAKES.NC, on the other hand, is dumped in the user's temporary folder and downloads the keylogging information thief TSPY_SINOWAL.BJ.
This weekend's attack is the second time such an attack has exploited a number of legitimate Italian Web sites to spread malicious JavaScripts.
For further information regarding this weekend's incident, please visit: http://www.trendmicro.com/ or the Trend Micro Malware Blog at http://blog.trendmicro.com/another-malware-pulls-an-italian-job/
For home users:
-- Beware of pages that require software installation. Do not allow new software installation from your browser unless you absolutely trust both the Web page and the provider of the software.
-- Scan with an updated antivirus and anti-spyware software any program downloaded through the Internet. This includes any downloads from P2P networks, through the Web and any FTP server regardless of the source.
-- Beware of unexpected strange-looking emails, regardless of their sender. Never open attachments or click on links contained in these email messages.
-- Enable the "Automatic Update" feature in your Windows operating system and apply new updates as soon as they are available.
-- Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running.
-- Free security tools are available at https://www.trendmicro.com/
For corporate users:
-- Deploy HTTP-scanning methods. Due to the prevalence of web threats, it is highly recommended to implement web-scanning systems in mid to large-size networks. Not only is it advisable to deploy these, but also to make sure that users cannot bypass them. The most secure way to implement such a system is to force users to forward all web requests to the scanning device and deny them otherwise. Closing this gap is key in the fight against malware and spyware, since the web has become the number one point of entry in the corporate network.
-- Do not allow unneeded protocols to enter the corporate network. The most dangerous of them are P2P communication protocols and IRC (chat). These two are part of the bot arsenal of weapons to propagate and communicate with their botmaster and should be disallowed in the corporate firewall.
-- Deploy vulnerability scanning software in the network. Having the operating systems constantly up-to-date can minimize the impact of any new network vulnerability and diminish the risk of being infected by these kinds of worms. It is highly recommended to keep all other applications patched as well. This includes especially office productivity applications and all other software that users utilize.
-- Restrict user privileges of all network users. Kernel-level rootkits are implemented as device drivers and therefore, denying users the right to "load and unload device drivers" will largely stop them. Windows Vista already provides a protection feature to prevent this by default. Other malware use administrator-level capabilities to perform other malicious actions. It is wise to limit what a rogue program can do by limiting its user privileges. This is accomplished by depriving normal users of administrator rights.
-- Deploy corporate anti-spyware scanning. As they are becoming prevalent threats for corporate businesses, the administrators need to deploy specific software to detect and stop them.
-- Support User Awareness campaigns. Most of the attacks utilized nowadays by malware try to fool the user. This is called social engineering and is especially important to take it into account, as it is key in almost every infection. Most of the malware detected in 2006 would not have done any damage had the user not clicked on the malware. We can minimize the effect of malware in our networks by showing our users how attackers try to fool them. We must teach users basic security measures and how to react to typical attack scenarios. This goes a long way towards preventing internal outbreaks in the company. It is important to keep the users up-to-date with new attacking strategies, as well as bring new users up to speed with company security policies and recommendations.
About Trend Micro Incorporated
Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site at http://www.trendmicro.com/.
