1 / 10

Threat Overview: The Italian Job / HTML_IFRAME.CU

Threat Overview: The Italian Job / HTML_IFRAME.CU. June 18, 2007. Agenda. How It Works Status Messaging/Positioning Trend Micro Protection Best Practices Additional Information. How It Works.

Download Presentation

Threat Overview: The Italian Job / HTML_IFRAME.CU

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007

  2. Agenda • How It Works • Status • Messaging/Positioning • Trend Micro Protection • Best Practices • Additional Information Classification

  3. How It Works “The Italian Job” is a Web threat that uses multiple components to surreptitiously infect a targeted group of users. • First, URLs of legitimate websites are compromised by HTML_IFRAME.CU, a malware that takes advantage of an iFrame vulnerability. Many of these sites are related to tourism and travel, entertainment, autos and adult content. • When a user visits a compromised website, s/he is redirected to a second site, which contains a Javascript downloader, JS_DLOADER.NTJ. • DLOADER exploits browser vulnerabilities to download a Trojan, TROJ_SMALL.HCK, onto the target system. • Two additional Trojans are downloaded, TROJ_AGENT.UHL and TROJ_PAKES.NC. • The PAKES Trojan goes on to download an information stealer, a variant of the SINOWAL Trojan. The AGENT Trojan can act as a proxy server that allos a remote user to anonymously connect to the Internet via an infected PC. Classification

  4. The Infection Chain Classification

  5. Status • Over 3K websites in Italy have been compromised • Approximately 12-15K visitors to these websites have been infected • While the majority of infections have been to Italian users, users in Spain and the US have been affected and, to a lesser extent, users from other parts of the world as they access the infected sites. • One ISP hosted 90% of affected sites; a second hosted the remaining 10% • A malware toolkit, MPack v.86, was used to create the initial downloader. Previous versions of this toolkit were available for purchase via a Russian website for ~$700. • Trend’s WRS and URL Filtering were updated to block the downloader and Trojan as of June 16 Classification

  6. Messaging/Positioning • The Italian Job represents a textbook example of today’s threat environment • Web-based, blended, sequential, targeted, profit-driven • It is highly likely that this type of attack will occur again, affecting users in another region • Javascript and the other types of technologies that enable the goodness of Web 2.0 are highly susceptible to such attacks • Malware toolkits are available for sale on the Internet and frequently updated • Automated tools and technologies, such as bots, enable speedy proliferation of malware and crimeware • Trend Micro provides a variety of innovative products that protect both home users and businesses from this type of attack Classification

  7. Trend Micro Protection All products below provide protection against the Italian Job • Products that block the URLs from malicious websites: • OfficeScan 8.0 • Trend Micro Internet Security 2007 • InterScan Gateway Security Appliance 1.0, 1.1 and 1.5 • ISVW 6.0 • InterScan Web Security Appliance (2500 v2.5)/Suite • Products that scan for malware and spyware downloads: • IMSS 7.0 • IMSA 5000 v7.0IGSA 1.0, 1.1 and 1.5 • SMEX 7.0 and 8.0 • SMLN 3.0 • IMHS • Trend Micro Internet Security 2007 • HouseCall detects and cleans the malware associated with this threat Classification

  8. Best Practices -- Corporate Users • Deploy HTTP-scanning and make sure users cannot bypass. Force users to forward all web requests to the scanning device and deny them otherwise. • Do not allow unneeded protocols to enter the corporate network. The most dangerous of them are P2P communication protocols and IRC (chat). • Deploy vulnerability scanning software in the network and keep all applications patched. • Restrict user privileges for all network users. • Deploy corporate anti-spyware scanning. • Support User Awareness campaigns. Classification

  9. Best Practices – Home Users • Beware of pages that require software installation. Do not allow new software installation from your browser unless you absolutely trust both the Web page and the provider of the software. • Scan with an updated antivirus and anti-spyware software any program downloaded through the Internet. This includes any downloads from P2P networks, through the Web and any FTP server regardless of the source. • Beware of unexpected strange-looking emails, regardless of their sender. Never open attachments or click on links contained in these email messages. • Enable the “Automatic Update” feature in your Windows operating system and apply new updates as soon as they are available. • Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running. Classification

  10. Additional Information • HTML_IFRAME.CU: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=HTML_IFRAME.CU • JS_DLOADER.NTJ: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_DLOADER.NTJ • TROJ_SMALL.HCK: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FSMALL%2EHCK&VSect=P • TROJ_PAKES.NC: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPAKES%2ENC&VSect=P • TROJ_AGENT.UHL: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.UHL • TSPY_SINOWAL.BJ: http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY%5FSINOWAL%2EBJ Classification

More Related