Security Bytes

Jun 18 2007   3:57PM GMT

Trend Micro warns of widescale Trojan attack

Leigha Leigha Cardwell Profile: Leigha

Tokyo-based antivirus firm Trend Micro is warning in its blog of a large Trojan attack that has proven especially troublesome for computers in Italy. The attack involved a blizzard of seemingly legitimate Web pages loaded with malware that could plant a keylogger to steal passwords or turn machines into proxy servers for other attacks.

“Trend Micro data indicates that tens of thousands of users worldwide have already accessed compromised URLs, oblivious to the threat as a result of their natural Web surfing activity,” the vendor said in an emailed statement. “The initial HTML malware takes advantage of a vulnerability in so-called iFrames that are commonly used on Web sites and commonly exploited. Trend Micro researchers believe it was initially probably an automated attack, created from a computer Trojan-making kit.”

On the IP page where the affected browser is initially redirected, Trend Micro said the malware toolkit statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the host from where the download chain begins.

The spreading mechanism is a complex chain, but it relies on Web site owners being unaware that they are compromised, and Web site users being unaware that surfing through seemingly legitimate pages can actually be part of an infection process. Trend Micro outlined the attack’s various characteristics:

1.) First-level URLs are the compromised or hacked legitimate Web sites. They are legitimate sites primarily Italian in origin and mostly advertising local services for tourism, hotels, auto-services, music, lotto and so on.

2.) These Web sites were hacked and a malicious IP address (HTML_IFRAME.CU) was inserted or injected into the HTML code of the legitimate site so that users are redirected to another site with a Javascript downloader (JS_DLOADER.NTJ). These are the second- and third-level URLs.

3.) The third-level URL in turn downloads another Trojan into the target system from another fourth-level URL. This is the URL for TROJ_SMALL.HCK.

4.) The Trojan in turn downloads two additional Trojans from two different fifth-level URLs. These are the URLs for TROJ_AGENT.UHL and TROJ_PAKES.NC.

5.) The PAKES Trojan then downloads an information stealer, a variant of the SINOWAL Trojan, from another sixth-level URL. Once the user visits any of the said Web sites, the affected computer is directed to another IP address that contains the malicious JavaScript.

“Trying to cause a buffer overflow on the user’s Internet browser, JS_DLOADER.NTJ exploits browser vulnerabilities,” Trend Micro said. “Through this, it is able to download TROJ_SMALL.HCK. On initial testing, TrendLabs researchers observed that this malicious JavaScript appears to be browser-aware in that it can choose which vulnerability to take advantage of depending on the browser.”

UPDATE, 6/19/07 at 7:15 a.m.: Several security vendor blogs include maps and other graphics that paint a pretty good picture of who is most affected:

The PandaLabs blog offers stats on attacked hosts and efficiency rates.

The Symantec Security Response blog outlines a lot of what Trend Micro outlined in its blog.

The SANS Internet Storm Center links to various sites tracking the attack.

For the sake of balance, I do want to note that Symantec’s ThreatCon remains at Level 1, its lowest position, as does the storm center and the IBM ISS AlertCon.

Technorati Tags: , ,

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: