Fast-moving web threat spreads around the world

Security researchers at Trend Micro reported an accelerating infection in Italy of seemingly legitimate web pages loaded with malicious code that could plant a keylogger to steal user passwords, or turn computers into proxy servers for various other attacks.

Analyzed data indicates that tens of thousands of users worldwide have already accessed compromised urls, oblivious to the threat as a result of their natural web surfing activity. The initial HTML malware takes advantage of a vulnerability in so-called “iFrames” that are commonly used on websites and commonly exploited. Trend Micro researchers believe it was initially probably an automated attack, created from a computer Trojan-making kit.

On the IP page where the affected browser is initially redirected, the malware toolkit statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the host from where the download chain begins.

The spreading mechanism is a complex chain, but it relies on website owners being unaware that they are compromised, and website users being unaware that surfing through seemingly legitimate pages can actually be part of an infection process:

1. First-level URLs are the compromised or hacked legitimate websites. They are legitimate websites primarily Italian and mostly advertising local services for tourism, hotels, auto-services, music, lotto and so on.

2. These websites were hacked and a malicious IP address (HTML_IFRAME.CU) is inserted or injected into the HTML code of the legitimate website so that users will be redirected to another site with a Javascript downloader (JS_DLOADER.NTJ). These are the second and third level URLs, and Trend Micro can block the downloader.

3. This third-level URL in turn downloads another Trojan into the target system from another fourth-level URL. This is the URL for TROJ_SMALL.HCK, which Trend Micro can also block.

4. The Trojan in turn downloads two additional Trojans from two different fifth-level URLs.These are the URLs for TROJ_AGENT.UHL and TROJ_PAKES.NC, both of which Trend Micro can block.

5. The PAKES Trojan then downloads an information stealer, a variant of the SINOWAL trojan, from another sixth-level URL.
Once the user visits any of the said Web sites, the affected computer is directed to another IP address that contains the malicious JavaScript detected by Trend Micro as JS_DLOADER.NTJ. This JavaScript then downloads a new member in the infection series detected as TROJ_SMALL.HCK. Trying to cause a buffer overflow on the user’s Internet browser, JS_DLOADER.NTJ exploits browser vulnerabilities. Through this, it is able to download TROJ_SMALL.HCK. On initial testing, TrendLabs researchers observed that this malicious JavaScript appears to be “browser-aware” in that it can choose which vulnerability to take advantage of depending on the browser.

TROJ_SMALL.HCK, in turn, downloads TROJ_AGENT.UHL and TROJ_PAKES.NC. TROJ_AGENT.UHL can act as a proxy server that allows a remote user to anonymously connect to the Internet via an infected computer. TROJ_PAKES.NC, on the other hand, is dumped in the user’s temporary folder and downloads the keylogging information thief TSPY_SINOWAL.BJ.