Russian malware used in attacks on Italian web

[David Farber <dave () farber net>]

Begin forwarded message:

From: Randall <rvh40 () insightbb com>
Date: June 19, 2007 3:05:16 PM EDT
To: David Farber <dave () farber net>, Dewayne Hendricks  
<dewayne () warpspeed com>
Subject: Russian malware used in attacks on Italian web

> http://arstechnica.com/news.ars/post/20070618-security-researchers- 
> uncov
> er-massive-attack-on-italian-web-sites.html
>
> Security researchers uncover massive attack on Italian web sites
>
> By Jeremy Reimer | Published: June 18, 2007 - 02:58PM CT
>
> Security researchers at Symantec have verified that a large-scale web
> attack targeting Italian web sites and their users is underway. The
> attackers exploited vulnerabilities at the ISP and web hosting  
> provider
> level to add snippets of IFRAME code to hundreds of popular Italian  
> web
> sites, including those of IT companies, car rental firms, tax  
> services,
> city councils, and hotel and travel destinations. The compromised web
> sites attempt to use exploits in unpatched versions of Internet
> Explorer, QuickTime, Windows 2000, Firefox, WinZip, and Opera, in  
> order
> to install malware packages on end users' computers.
>
> The attackers used a "commercial" malware kit called MPack, which is
> sold by a Russian gang. Currently at version 0.86, MPack provides
> would-be malware installers with a complete package that can be
> installed on any web server that runs PHP with an SQL database. The
> owners of MPack have been selling it to other criminal  
> organizations for
> between $700 and $1,000 a pop, with additional exploit modules  
> available
> for between $50 and $150. For an additional $30, the MPack owners will
> include a feature that helps prevent the malware from being  
> detected by
> antivirus programs.
>
> Once MPack is installed, the attackers need to compromise popular web
> sites (as was done in the Italian attack) in order to inject IFRAME
> code. The site's HTML files do not need to be directly compromised, as
> the code is added dynamically when the page is sent by the server-this
> makes it less likely that web site owners will notice that anything
> suspicious is going on.
>
> The IFRAME code then adds a request to the MPack server itself, which
> analyzes the HTTP request header received from the user's web browser.
> It uses this information to determine which exploit it will try to use
> against the user. The MPack server stores data about which exploits  
> have
> been tried and which were successful, and even provides the attacker
> with a handy "management console" to keep track of how many hosts have
> been compromised. MPack was first discovered for sale in a Russian  
> forum
> in December 2006, and the security firm PandaLabs has provided a
> detailed analysis (PDF) on its web site.
>
> The rise of off-the-shelf malware packages is another indication that
> compromising users' computers has become a huge business and  
> especially
> attractive for criminal organizations. The risk of detection and  
> capture
> is low: the attackers typically install MPack on a compromised web
> server, and the malware itself can be hosted on any number of servers.
> Even if an MPack server is discovered and shut down, any users who  
> have
> infected by the exploits that MPack uses will continue to generate
> revenue from whatever spyware the attackers choose to install on the
> compromised systems.
>
> The advent of directed attacks on popular web sites makes it harder  
> for
> users to practice skeptical computing, as one does not typically  
> expect
> to get attacked by a popular tourist destination's web site. The only
> solution is for both web site operators and end users to ensure that
> their software-including third-party software-is kept up to date.
> _______________________________________________
> tt mailing list
> tt () postbiota org
> http://postbiota.org/mailman/listinfo/tt

My Original Writing blog: http://itgotworse.blogsource.com



-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com