Italy Under Attack: Mpack Gang Strikes Again!

[Symantec]

Italy Under Attack: Mpack Gang Strikes Again!
<p>We verified a report of a large-scale web attack on going in Italy at the moment. The attack is similar to what we described in <a href="http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html">our previous blog</a>; it just uses a new different final domain which runs the hostile exploits of Mpack 0.86 kit.</p>

<p><br />
<a href="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/06/Italy%20pic1.html" onclick="window.open('http://www.symantec.com/enterprise/security_response/weblog/upload/2007/06/Italy%20pic1.html','popup','width=630,height=323,s crollbars=no,resizable=no,toolbar=no,directories=n o,location=no,menubar=no,status=no,left=0,top=0'); return false"><img src="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/06/pic1%20sm.jpg" width="370" height="190" /></a></p>

<p><br />
The gang behind the attack had successfully compromised the homepages of hundreds of legitimate Italian websites. We checked many of them and we verified that they include now a malicious IFRAME (detected as Trojan.Mpkit!html) which redirects to the same bad IP address. The list of compromised sites is huge and from Mpack statistics this attack is working efficiently (the statistic page reports 65K unique visitors with almost 7K exploited browsers). Here some examples of legitimate websites that at the moment are redirecting to the malicious Mpack host:</p>

<p> hxxp://www.asa[REMOVED].it (IT company)<br />
 hxxp://www.easyca[REMOVED].it (car rental)<br />
 hxxp://www.cafit[REMOVED].org (tax service)<br />
 hxxp://www.ladolcevi[REMOVED].com (apartments/hotels)<br />
 hxxp://www.cislanc[REMOVED].it (trade unions of a city)<br />
 hxxp://www.offertav[REMOVED].com (travels in Italy)<br />
 hxxp://www.hotelce[REMOVED].it (hotel)<br />
 hxxp://www.vnemba[REMOVED].it/ (some embassy?!?)<br />
 hxxp://www.comunedica[REMOVED].it (city council)<br />
 hxxp://www.saccoeuro[REMOVED].it (popular IT store)<br />
 hxxp://www.comune.bisi[REMOVED].it (city council)<br />
 hxxp://www.step[REMOVED].it (IT company)<br />
 …and many many others!</p>

<p><br />
We are not sure how those sites became compromised, but it is most likely some vulnerability or configuration issue at ISP/hosting level. We are working actively to notify Italian CERT and authorities about this situation and we hope that all the compromised websites we’ll be contacted soon to fix the problem. Probably many of them are not aware of the issue. </p>

<p><br />
<a href="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/06/Italy%20pic2.html" onclick="window.open('http://www.symantec.com/enterprise/security_response/weblog/upload/2007/06/Italy%20pic2.html','popup','width=687,height=658,s crollbars=no,resizable=no,toolbar=no,directories=n o,location=no,menubar=no,status=no,left=0,top=0'); return false"><img src="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/06/pic2%20sm.jpg" width="370" height="354" /></a></p>

<p><br />
In the meantime I strongly encourage all Italian users to update their antivirus programs and install on their machines all the recent patches and not only the one for Microsoft Products. Mpack in fact exploits vulnerabilities also for other browser components such as QuickTime and WinZip.</p>

<p>Many thanks to a good Italian friend who helped to track the source of this attack.<br />
</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/06/italy_under_attack_mpack_gang.html
http://www.symantec.com/enterprise/security_response/weblog/2007/06/italy_under_attack_mpack_gang.html
Fri, 15 Jun 2007 14:00:00 -0800