[farber]
http://arstechnica.com/news.ars/post/20070618-security-researchers-uncover-massive-attack-on-italian-web-sites.html
Security researchers uncover massive attack on Italian web sites
By Jeremy Reimer | Published: June 18, 2007 - 02:58PM CT
Security researchers at Symantec have verified that a large-
scale web attack targeting Italian web sites and their users
is underway. The attackers exploited vulnerabilities at the
ISP and web hosting provider level to add snippets of IFRAME
code to hundreds of popular Italian web sites, including
those of IT companies, car rental firms, tax services, city
councils, and hotel and travel destinations. The compromised
web sites attempt to use exploits in unpatched versions of
Internet Explorer, QuickTime, Windows 2000, Firefox, WinZip,
and Opera, in order to install malware packages on end
users' computers.
The attackers used a "commercial" malware kit called MPack,
which is sold by a Russian gang. Currently at version 0.86,
MPack provides would-be malware installers with a complete
package that can be installed on any web server that runs
PHP with an SQL database. The owners of MPack have been
selling it to other criminal organizations for between $700
and $1,000 a pop, with additional exploit modules available
for between $50 and $150. For an additional $30, the MPack
owners will include a feature that helps prevent the malware
from being detected by antivirus programs.
Once MPack is installed, the attackers need to compromise
popular web sites (as was done in the Italian attack) in
order to inject IFRAME code. The site's HTML files do not
need to be directly compromised, as the code is added
dynamically when the page is sent by the server-this makes
it less likely that web site owners will notice that
anything suspicious is going on.
The IFRAME code then adds a request to the MPack server
itself, which analyzes the HTTP request header received from
the user's web browser. It uses this information to
determine which exploit it will try to use against the user.
The MPack server stores data about which exploits have been
tried and which were successful, and even provides the
attacker with a handy "management console" to keep track of
how many hosts have been compromised. MPack was first
discovered for sale in a Russian forum in December 2006, and
the security firm PandaLabs has provided a detailed analysis
(PDF) on its web site.
The rise of off-the-shelf malware packages is another
indication that compromising users' computers has become a
huge business and especially attractive for criminal
organizations. The risk of detection and capture is low: the
attackers typically install MPack on a compromised web
server, and the malware itself can be hosted on any number
of servers. Even if an MPack server is discovered and shut
down, any users who have infected by the exploits that MPack
uses will continue to generate revenue from whatever spyware
the attackers choose to install on the compromised systems.
The advent of directed attacks on popular web sites makes it
harder for users to practice skeptical computing, as one
does not typically expect to get attacked by a popular
tourist destination's web site. The only solution is for
both web site operators and end users to ensure that their
software-including third-party software-is kept up to date.
---------------------------------------------------------------
WWWhatsup NYC
http://pinstand.com - http://punkcast.com
---------------------------------------------------------------
_______________________________________________
Discuss mailing list
[email protected]
http://lists.isoc-ny.org/mailman/listinfo/discuss
