Transcript Threat Overview: The Italian Job / HTML_IFRAME.CU

Threat Overview: The Italian Job /
HTML_IFRAME.CU
June 18, 2007
Agenda
•
•
•
•
•
•
How It Works
Status
Messaging/Positioning
Trend Micro Protection
Best Practices
Additional Information
Classification
Copyright 2007 - Trend Micro Inc.
2
How It Works
“The Italian Job” is a Web threat that uses multiple components to
surreptitiously infect a targeted group of users.
 First, URLs of legitimate websites are compromised by
HTML_IFRAME.CU, a malware that takes advantage of an iFrame
vulnerability. Many of these sites are related to tourism and travel,
entertainment, autos and adult content.
 When a user visits a compromised website, s/he is redirected to a
second site, which contains a Javascript downloader,
JS_DLOADER.NTJ.
 DLOADER exploits browser vulnerabilities to download a Trojan,
TROJ_SMALL.HCK, onto the target system.
 Two additional Trojans are downloaded, TROJ_AGENT.UHL and
TROJ_PAKES.NC.
 The PAKES Trojan goes on to download an information stealer, a
variant of the SINOWAL Trojan. The AGENT Trojan can act as a
proxy server that allos a remote user to anonymously connect to
the Internet via an infected PC.
Classification
Copyright 2007 - Trend Micro Inc.
3
The Infection Chain
Classification
Copyright 2007 - Trend Micro Inc.
4
Status
• Over 3K websites in Italy have been compromised
• Approximately 12-15K visitors to these websites have
been infected
– While the majority of infections have been to Italian users, users
in Spain and the US have been affected and, to a lesser extent,
users from other parts of the world as they access the infected
sites.
• One ISP hosted 90% of affected sites; a second hosted
the remaining 10%
• A malware toolkit, MPack v.86, was used to create the
initial downloader. Previous versions of this toolkit were
available for purchase via a Russian website for ~$700.
• Trend’s WRS and URL Filtering were updated to block
the downloader and Trojan as of June 16
Classification
Copyright 2007 - Trend Micro Inc.
5
Messaging/Positioning
• The Italian Job represents a textbook example of today’s
threat environment
– Web-based, blended, sequential, targeted, profit-driven
• It is highly likely that this type of attack will occur again,
affecting users in another region
– Javascript and the other types of technologies that enable the
goodness of Web 2.0 are highly susceptible to such attacks
– Malware toolkits are available for sale on the Internet and
frequently updated
– Automated tools and technologies, such as bots, enable speedy
proliferation of malware and crimeware
• Trend Micro provides a variety of innovative products
that protect both home users and businesses from this
type of attack
Classification
Copyright 2007 - Trend Micro Inc.
6
Trend Micro Protection
All products below provide protection against the Italian Job
• Products that block the URLs from malicious websites:
–
–
–
–
–
OfficeScan 8.0
Trend Micro Internet Security 2007
InterScan Gateway Security Appliance 1.0, 1.1 and 1.5
ISVW 6.0
InterScan Web Security Appliance (2500 v2.5)/Suite
• Products that scan for malware and spyware downloads:
– IMSS 7.0
– IMSA 5000 v7.0
IGSA 1.0, 1.1 and 1.5
– SMEX 7.0 and 8.0
– SMLN 3.0
– IMHS
– Trend Micro Internet Security 2007
• HouseCall detects and cleans the malware associated with this
threat
Classification
Copyright 2007 - Trend Micro Inc.
7
Best Practices -- Corporate Users
• Deploy HTTP-scanning and make sure users cannot
bypass. Force users to forward all web requests to the
scanning device and deny them otherwise.
• Do not allow unneeded protocols to enter the corporate
network. The most dangerous of them are P2P
communication protocols and IRC (chat).
• Deploy vulnerability scanning software in the network
and keep all applications patched.
• Restrict user privileges for all network users.
• Deploy corporate anti-spyware scanning.
• Support User Awareness campaigns.
Classification
Copyright 2007 - Trend Micro Inc.
8
Best Practices – Home Users
• Beware of pages that require software installation. Do not allow new
software installation from your browser unless you absolutely trust
both the Web page and the provider of the software.
• Scan with an updated antivirus and anti-spyware software any
program downloaded through the Internet. This includes any
downloads from P2P networks, through the Web and any FTP
server regardless of the source.
• Beware of unexpected strange-looking emails, regardless of their
sender. Never open attachments or click on links contained in these
email messages.
• Enable the “Automatic Update” feature in your Windows operating
system and apply new updates as soon as they are available.
• Always have an antivirus real-time scan service. Monitor regularly
that it is being updated and that the service is running.
Classification
Copyright 2007 - Trend Micro Inc.
9
Additional Information
• HTML_IFRAME.CU:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=
HTML_IFRAME.CU
• JS_DLOADER.NTJ:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=
JS_DLOADER.NTJ
• TROJ_SMALL.HCK:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=
TROJ%5FSMALL%2EHCK&VSect=P
• TROJ_PAKES.NC:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=
TROJ%5FPAKES%2ENC&VSect=P
• TROJ_AGENT.UHL:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=
TROJ_AGENT.UHL
• TSPY_SINOWAL.BJ:
http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?
GNAME=TSPY%5FSINOWAL%2EBJ
Classification
Copyright 2007 - Trend Micro Inc.
10