Threat Overview: The Italian Job / HTML_IFRAME.CU

1
Threat Overview The Italian Job / HTML_IFRAME.CU

• June 18, 2007

2
Agenda

• How It Works
• Status
• Messaging/Positioning
• Trend Micro Protection
• Best Practices
• Additional Information

3
How It Works

• The Italian Job is a Web threat that uses
  multiple components to surreptitiously infect a
  targeted group of users.
• First, URLs of legitimate websites are
  compromised by HTML_IFRAME.CU, a malware that
  takes advantage of an iFrame vulnerability. Many
  of these sites are related to tourism and travel,
  entertainment, autos and adult content.
• When a user visits a compromised website, s/he is
  redirected to a second site, which contains a
  Javascript downloader, JS_DLOADER.NTJ.
• DLOADER exploits browser vulnerabilities to
  download a Trojan, TROJ_SMALL.HCK, onto the
  target system.
• Two additional Trojans are downloaded,
  TROJ_AGENT.UHL and TROJ_PAKES.NC.
• The PAKES Trojan goes on to download an
  information stealer, a variant of the SINOWAL
  Trojan. The AGENT Trojan can act as a proxy
  server that allos a remote user to anonymously
  connect to the Internet via an infected PC.

4
The Infection Chain
5
Status

• Over 3K websites in Italy have been compromised
• Approximately 12-15K visitors to these websites
  have been infected
• While the majority of infections have been to
  Italian users, users in Spain and the US have
  been affected and, to a lesser extent, users
  from other parts of the world as they access the
  infected sites.
• One ISP hosted 90 of affected sites a second
  hosted the remaining 10
• A malware toolkit, MPack v.86, was used to create
  the initial downloader. Previous versions of
  this toolkit were available for purchase via a
  Russian website for 700.
• Trends WRS and URL Filtering were updated to
  block the downloader and Trojan as of June 16

6
Messaging/Positioning

• The Italian Job represents a textbook example of
  todays threat environment
• Web-based, blended, sequential, targeted,
  profit-driven
• It is highly likely that this type of attack will
  occur again, affecting users in another region
• Javascript and the other types of technologies
  that enable the goodness of Web 2.0 are highly
  susceptible to such attacks
• Malware toolkits are available for sale on the
  Internet and frequently updated
• Automated tools and technologies, such as bots,
  enable speedy proliferation of malware and
  crimeware
• Trend Micro provides a variety of innovative
  products that protect both home users and
  businesses from this type of attack

7
Trend Micro Protection

• All products below provide protection against the
  Italian Job
• Products that block the URLs from malicious
  websites
• OfficeScan 8.0
• Trend Micro Internet Security 2007
• InterScan Gateway Security Appliance 1.0, 1.1 and
  1.5
• ISVW 6.0
• InterScan Web Security Appliance (2500
  v2.5)/Suite
• Products that scan for malware and spyware
  downloads
• IMSS 7.0
• IMSA 5000 v7.0IGSA 1.0, 1.1 and 1.5
• SMEX 7.0 and 8.0
• SMLN 3.0
• IMHS
• Trend Micro Internet Security 2007
• HouseCall detects and cleans the malware
  associated with this threat

8
Best Practices -- Corporate Users

• Deploy HTTP-scanning and make sure users cannot
  bypass. Force users to forward all web requests
  to the scanning device and deny them otherwise.
• Do not allow unneeded protocols to enter the
  corporate network. The most dangerous of them are
  P2P communication protocols and IRC (chat).
• Deploy vulnerability scanning software in the
  network and keep all applications patched.
• Restrict user privileges for all network users.
• Deploy corporate anti-spyware scanning.
• Support User Awareness campaigns.

9
Best Practices Home Users

• Beware of pages that require software
  installation. Do not allow new software
  installation from your browser unless you
  absolutely trust both the Web page and the
  provider of the software.
• Scan with an updated antivirus and anti-spyware
  software any program downloaded through the
  Internet. This includes any downloads from P2P
  networks, through the Web and any FTP server
  regardless of the source.
• Beware of unexpected strange-looking emails,
  regardless of their sender. Never open
  attachments or click on links contained in these
  email messages.
• Enable the Automatic Update feature in your
  Windows operating system and apply new updates as
  soon as they are available.
• Always have an antivirus real-time scan service.
  Monitor regularly that it is being updated and
  that the service is running.

10
Additional Information

• HTML_IFRAME.CU http//www.trendmicro.com/vinfo/v
  irusencyclo/default5.asp?VNameHTML_IFRAME.CU
• JS_DLOADER.NTJ http//www.trendmicro.com/vinfo/vi
  rusencyclo/default5.asp?VNameJS_DLOADER.NTJ
• TROJ_SMALL.HCK http//www.trendmicro.com/vinfo/vi
  rusencyclo/default5.asp?VNameTROJ5FSMALL2EHCKV
  SectP
• TROJ_PAKES.NC http//www.trendmicro.com/vinfo/vir
  usencyclo/default5.asp?VNameTROJ5FPAKES2ENCVSe
  ctP
• TROJ_AGENT.UHL http//www.trendmicro.com/vinfo/vi
  rusencyclo/default5.asp?VNameTROJ_AGENT.UHL
• TSPY_SINOWAL.BJ http//www.trendmicro.com/vinfo/g
  rayware/ve_graywareDetails.asp?GNAMETSPY5FSINOWA
  L2EBJ