Interesting People mailing list archives
Russian malware used in attacks on Italian web
From: David Farber <dave () farber net>
Date: Tue, 19 Jun 2007 15:14:49 -0400
Begin forwarded message: From: Randall <rvh40 () insightbb com> Date: June 19, 2007 3:05:16 PM EDTTo: David Farber <dave () farber net>, Dewayne Hendricks <dewayne () warpspeed com>
Subject: Russian malware used in attacks on Italian web
http://arstechnica.com/news.ars/post/20070618-security-researchers- uncover-massive-attack-on-italian-web-sites.html Security researchers uncover massive attack on Italian web sites By Jeremy Reimer | Published: June 18, 2007 - 02:58PM CT Security researchers at Symantec have verified that a large-scale web attack targeting Italian web sites and their users is underway. Theattackers exploited vulnerabilities at the ISP and web hosting provider level to add snippets of IFRAME code to hundreds of popular Italian web sites, including those of IT companies, car rental firms, tax services,city councils, and hotel and travel destinations. The compromised web sites attempt to use exploits in unpatched versions of InternetExplorer, QuickTime, Windows 2000, Firefox, WinZip, and Opera, in orderto install malware packages on end users' computers. The attackers used a "commercial" malware kit called MPack, which is sold by a Russian gang. Currently at version 0.86, MPack provides would-be malware installers with a complete package that can be installed on any web server that runs PHP with an SQL database. Theowners of MPack have been selling it to other criminal organizations for between $700 and $1,000 a pop, with additional exploit modules availablefor between $50 and $150. For an additional $30, the MPack owners willinclude a feature that helps prevent the malware from being detected byantivirus programs. Once MPack is installed, the attackers need to compromise popular web sites (as was done in the Italian attack) in order to inject IFRAME code. The site's HTML files do not need to be directly compromised, as the code is added dynamically when the page is sent by the server-this makes it less likely that web site owners will notice that anything suspicious is going on. The IFRAME code then adds a request to the MPack server itself, which analyzes the HTTP request header received from the user's web browser. It uses this information to determine which exploit it will try to useagainst the user. The MPack server stores data about which exploits havebeen tried and which were successful, and even provides the attacker with a handy "management console" to keep track of how many hosts havebeen compromised. MPack was first discovered for sale in a Russian forumin December 2006, and the security firm PandaLabs has provided a detailed analysis (PDF) on its web site. The rise of off-the-shelf malware packages is another indication thatcompromising users' computers has become a huge business and especially attractive for criminal organizations. The risk of detection and captureis low: the attackers typically install MPack on a compromised web server, and the malware itself can be hosted on any number of servers.Even if an MPack server is discovered and shut down, any users who haveinfected by the exploits that MPack uses will continue to generate revenue from whatever spyware the attackers choose to install on the compromised systems.The advent of directed attacks on popular web sites makes it harder for users to practice skeptical computing, as one does not typically expectto get attacked by a popular tourist destination's web site. The only solution is for both web site operators and end users to ensure that their software-including third-party software-is kept up to date. _______________________________________________ tt mailing list tt () postbiota org http://postbiota.org/mailman/listinfo/tt
My Original Writing blog: http://itgotworse.blogsource.com ------------------------------------------- Archives: http://v2.listbox.com/member/archive/247/=now RSS Feed: http://v2.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Russian malware used in attacks on Italian web David Farber (Jun 19)