CIOL - Custom Sites : Trend Micro

News and Views

More on WebThreats

	Read our WebThreat Brochure >>

	Learn More >>

	Download Whitepaper >>

	Listen to Podcast >>

	Trend Micro Warns of Fast-Moving Web Threat >>

	Risk for Corporate End Users as Web Attack targets Social Surfing >>

	Threat Roundup & Forecast >>

	Trend Micro 1H 2007 Threat Roundup and 2H >>

Learn More

	Web Security >>

	Messaging Security >>

	Endpoint Security >>

	Defense in Depth >>

	WRS Online Query >>

	URL Re-classify >>

Reach Us

	Instant Security Consultant >>

	Contact Us >>

Web Threats Are Serious Business

Contd..

The spreading mechanism is a complex chain, but it relies on website owners being unaware that they are compromised, and website users being unaware that surfing through seemingly legitimate pages can actually be part of an infection process:
1) First-level URLs are the compromised or hacked legitimate websites. They are legitimate websites primarily Italian and mostly advertising local services for tourism, hotels, auto-services, music, lotto and so on.
2) These websites were hacked and a malicious IP address (HTML_IFRAME.CU) is inserted or injected into the HTML code of the legitimate website so that users will be redirected to another site with a Javascript downloader (JS_DLOADER.NTI). These are the second and third level URLs, and Trend Micro can block the downloader.
3) This third-level URL in turn downloads another Trojan into the target system from another fourth-level URL. This is the URL for TROJ_SMALL.HCK, which Trend Micro can also block.
4) The Trojan in turn downloads two additional Trojans from two different fifth-level URLs.These are the URLs for TROJ_AGENT.UHL and TROJ_PAKES.NC, both of which Trend Micro can block.
5) The PAKES Trojan then downloads an information stealer, a variant of the SINOWAL trojan, from another sixth-level URL

Once the user visits any of the said Web sites, the affected computer is directed to another IP address that contains the malicious JavaScript detected by Trend Micro as JS_DLOADER.NTJ. This JavaScript then downloads a new member in the infection series detected as TROJ_SMALL.HCK. Trying to cause a buffer overflow on the user's Internet browser, JS_DLOADER.NTJ exploits browser vulnerabilities. Through this, it is able to download TROJ_SMALL.HCK. On initial testing, TrendLabs researchers observed that this malicious JavaScript appears to be “browser-aware” in that it can choose which vulnerability to take advantage of depending on the browser.

TROJ_SMALL.HCK, in turn, downloads TROJ_AGENT.UHL and TROJ_PAKES.NC. TROJ_AGENT.UHL can act as a proxy server that allows a remote user to anonymously connect to the Internet via an infected computer. TROJ_PAKES.NC, on the other hand, is dumped in the user's temporary folder and downloads the keylogging information thief TSPY_SINOWAL.BJ.

This weekend's attack is the second time such an attack has exploited a number of legitimate Italian Web sites to spread malicious JavaScripts.

For further information regarding this weekend's incident, please visit: Trend Micro Malware Blog at http://blog.trendmicro.com/another-malware-pulls-an-italian-job/

<<Previous Next>>

	Simplify Business Management. ERP solutions by IBM
	Carry your Dream, Convey your Value with ZTE
	Get EMC Efficient.Learn more

	Get expert views on Mobilin V2
	How to make your enterprise productive
	Unified Communication can impact business. Know how

	Making Web3.0 a Reality!
	CIOL Enterprise Next :What's NEXT in IT? :

	Reach your desired Target Audience and realize high ROI
	Effective ways of Customer Acquisition through Demand Generation
	Reach 2,500 potential Enterprise Customers!