'Italian job' Web attack hits 10,000 sites

Online criminals have launched a widespread Web attack that has turned tens of thousands of legitimate Web sites into weapons, security vendors said Monday.

The attack began late last week and by Monday morning, more than 10,000 Web sites had been compromised, according to security firms Trend Micro and Websense.

Although attackers have hit targets around the world lately, more than 80% of the infections are on Italian Web sites, said David Perry, global director of education with Trend Micro. "Almost all of the Web sites we saw this weekend were in Italy; We were referring to it as 'Italian Job 3,' in-house," he said referring to the Michael Caine heist film that was remade in 2003.

Most of the infected Web sites are legitimate, Perry added. "These aren't porn sites, they aren't gambling sites; they are hotels, fish-and-tackle sites, tourist information," he said.

Even local Italian government Web sites have been infected, and most of the affected sites are hosted by one of Italy's largest Web service providers, Trend Micro said.

Infected Web sites contain a short piece of HTML "iFrame" code that redirects the victim's Web browser to a server that attempts to infect the victim's computer using a tool called "MPack."

MPack can launch a variety of different attacks against the victim's PC, depending on which browser and operating system is running. It exploits a number of well-known bugs that have already been patched, meaning it is dangerous to people who are not running an updated version of their browser, Perry said. "If they have a browser that hasn't been patched, their machine is going to be compromised."

The malware can be used to attack Internet Explorer, Firefox, and even the Opera browser.

MPack installs a keylogger and a Trojan downloader program on compromised PCs so that the attackers can monitor the victim's activity and run other unauthorized programs on the computer. "They can turn your computer into anything they want," Perry said.

The FBI is investigating the matter, according to Perry. "This is an absolutely criminal activity," he said. "They're attaching keyloggers to many thousands of people's computers without their consent"

While the technique these criminals are using to infect PCs isn't new, "an attack on this scale is notable for both its ambition and the coordination involved in pulling something like this off," said Chris Boyd, a researcher at FaceTime Communications Inc., via instant message. "Users should ensure they're fully patched, as the hackers are relying on you running exploitable systems to gain entry into your PC."

The IDG News Service is a Network World affiliate.