Tokyo-based antivirus firm Trend Micro is warning in its blog of a large Trojan attack that has proven especially troublesome for computers in Italy. The attack involved a blizzard of seemingly legitimate Web pages loaded with malware that could plant a keylogger to steal passwords or turn machines into proxy servers for other attacks.
“Trend Micro data indicates that tens of thousands of users worldwide have already accessed compromised URLs, oblivious to the threat as a result of their natural Web surfing activity,” the vendor said in an emailed statement. “The initial HTML malware takes advantage of a vulnerability in so-called iFrames that are commonly used on Web sites and commonly exploited. Trend Micro researchers believe it was initially probably an automated attack, created from a computer Trojan-making kit.”
On the IP page where the affected browser is initially redirected, Trend Micro said the malware toolkit statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the host from where the download chain begins.
The spreading mechanism is a complex chain, but it relies on Web site owners being unaware that they are compromised, and Web site users being unaware that surfing through seemingly legitimate pages can actually be part of an infection process. Trend Micro outlined the attack’s various characteristics:
1.) First-level URLs are the compromised or hacked legitimate Web sites. They are legitimate sites primarily Italian in origin and mostly advertising local services for tourism, hotels, auto-services, music, lotto and so on.
3.) The third-level URL in turn downloads another Trojan into the target system from another fourth-level URL. This is the URL for TROJ_SMALL.HCK.
4.) The Trojan in turn downloads two additional Trojans from two different fifth-level URLs. These are the URLs for TROJ_AGENT.UHL and TROJ_PAKES.NC.
UPDATE, 6/19/07 at 7:15 a.m.: Several security vendor blogs include maps and other graphics that paint a pretty good picture of who is most affected:
The PandaLabs blog offers stats on attacked hosts and efficiency rates.
The Symantec Security Response blog outlines a lot of what Trend Micro outlined in its blog.
The SANS Internet Storm Center links to various sites tracking the attack.
For the sake of balance, I do want to note that Symantec’s ThreatCon remains at Level 1, its lowest position, as does the storm center and the IBM ISS AlertCon.