MPack Trojan Attack Claims 10,000 Web Sites

Security software services report that a massive Web attack, dubbed the "Italian Job," has now compromised as many as 10,000 Web sites.

Researchers at Trend Micro are reporting that as many as 10,000 Web sites have been infected with malicious code that redirects unsuspecting users to a server booby-trapped with drive-by exploits—part of a wave of attacks originating in Italy and now spreading through Europe.

Dubbed the "Italian Job" by Trend Micro, the attack was first uncovered June 15. Legitimate sites were hacked to include a malicious iFrames tag redirecting visitors to servers armed with a tool called MPack, an exploit tool that can target security holes in multiple products.

According to Trend Micro, once a user visits any of the compromised Web sites, the affected computer is directed to another IP address that contains the malicious JavaScript detected by the company as JS_DLOADER.NTJ.

/zimages/5/28571.gifClick here to read about a keylogging variant of a Russian Trojan that dodges anti-virus detection.

The JavaScript attempts to exploit a buffer overflow vulnerability in unpatched browsers to download TROJ_SMALL.HCK, company officials said.

Since June 15, the number of sites affected by the attack has multiplied several times over, said David Perry, global director of education for Trend Micro, based in Cupertino, Calif.

"There are already somewhere between 5,000 and 10,000 Web sites affected by this," Perry said. "Theres nothing that all these Web sites have in common. Im calling it a Web-idemic."

According to Websense, based in San Diego, the regions most affected by the situation have been Italy and Spain.

In a blog posting June 15, Symantec researcher Elia Florio advised Italian users to update their anti-virus products and make sure all the recent patches are installed on their machines.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.