Russian hackers hijack Italian sites to serve exploits

Russian hackers hijack Italian sites to serve exploits

Summary: The Russian crime ring behind the infamous WebAttacker/MPack exploit toolkit hacked into thousands of Italian Web sites over the weekend and used a one-line snippet of code to redirect surfers to a server rigged with drive-by exploits.

SHARE:
TOPICS: Security
45

The Russian crime ring behind the infamous WebAttacker/MPack exploit toolkit hacked into thousands of Italian Web sites over the weekend and used a one-line snippet of code to redirect surfers to a server rigged with drive-by exploits.

MPack statisticsThe ongoing attacks, which is reminiscent of the Dolphin Stadium site breach in February, uses a malicious IFRAME tag embedded into the hacked site to handle the redirection to the malware-laden server.

Around midday today, the server hosting the exploits was live and anti-virus researchers tracking the attacks have found more than 8,000 hijacked Italian Web sites.

The sites at risk cover a wide range of Internet interests -- from cars and racing (likely to take advantage of the formula one weekend), hotels, sports, music, lottery and pornography were all victims. Even web sites connected to Jon Bon Jovi and Mother Teresa weren’t spared, according to virus researchers at Trend Micro.

Here's a diagram of the attack scenario from Trend Micro's Carolyn Guevarra:

italian_iframe.gif

The MPack exploit kit used in this attacks contain a stats counter that spell out in detail the types of exploits used, the number of compromised computers and types of browsers used by the victim (see screenshot above). In this case, it is clear that some newer exploit modules have been added to take aim at flaws in Firefox, Opera and even Apple's QuickTime media player.

Symantec's Elia Floria provides a glimpse at the statistics:

The list of compromised sites is huge and from Mpack statistics this attack is working efficiently (the statistic page reports 65K unique visitors with almost 7K exploited browsers).

It is important to note that the exploits are targeting vulnerabilities that have already been patched so the best defense is to ensure that your machine is fully patched (OS and applications running on top).

Secunia's free software inspector is a nice place to start scanning your machine to look for weak spots. This tool will detect insecure versions of applications installed, verify that all Microsoft patches are applied and assist you in updating your system and applications .

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

45 comments
Log in or register to join the discussion
  • No mention of OS involved......

    Based on the other bonets discovered, I can bet that all of these systems were MS Windows.

    It would have been more telling if the OS involved was listed though.
    linux for me
    • That you want or need to be told that...

      ...says a lot about you.

      I'll leave it up to you to figure out what "a lot" means.

      Good luck.
      toadlife
    • Looks like all OS have been targeted.

      OS X (Apple Quicktime) and *nix (Firefox, Opera) are also being exploited as well.

      Statistically, IE would be most targeted and exploited since more lusers use it.
      Mr. Roboto
      • not my understanding...windows only....

        my understanding of the mpack exploits was that even the firefox, quicktime, opera flaws are targeted at windows users. the diagrams that show the method of exploit code and the exploit code being used point exclusively to a windows bot net harvesting effort.

        of course what the compromised server were running is an entirely different story...most likely apache and linux...but perhaps these were also win/iis. anyone know?
        jjarman
    • My understanding is , that Windows is being exploited .

      I see Quicktime and Firefox are involved , but it has to do with Windows only . At the bottom of the story Windows is mentioned , but not OS X or Linux . I was wondering why there weren't many Windows users on the web . Even my friends who use Windows aren't on the web either .
      Intellihence
      • Your understanding is nil.

        Heck, your ability to understand is nil...
        No_Ax_to_Grind
        • Is that your best takes .

          I see you Windows Zealots become really offended when your precious MS products get the shaft . I hope it hurts , and I hope it hurts even more by the end of this summer .
          Intellihence
          • "end of summer" threat?

            Ummm, you did read this part, right?

            "It is important to note that the exploits are targeting vulnerabilities that have already been patched."

            The news here really is the server hacks.
            rtk
    • OSX has been owned

      The [url=http://www.networkworld.com/news/2007/050207-apple-patches-hack-challenges-quicktime.html?inform] Quicktime vulnerability [/url] being exploited is the one that was made public a little while ago on OSX. There have been 300,000 hacked OSX machines already, many of them in North America. Have you virus scanned your Mac recently? Better do it now!
      NonZealot
      • Message has been deleted.

        Intellihence
      • wow, your facts are soooo......made up!

        300,000 hacked mac osx machines? lol...

        um...the flaw was patched before any wild exploit, so any mac with an internet connection would have been updated automatically and not affected. where did you find your numbers? link?

        my macs, just like my pc's and linux boxes, do have anti-virus, outbound application filtering, firewalls, etc. no matter the os, i don't run with scissors and always wear protection. Better safe then sorry, plus coming from a highly redmond centric background I'm used to having to crank down the security to visit the more interesting places on the net.

        the mpack quicktime exploit is for win...sorry.
        jjarman
      • Where are your facts Zealot ?

        Yes the Quicktime vulnerability was affecting Windows . Get your facts straight , I believe everyone is fed up with yours and Ye's F.U.D.
        I'm Ye, the MS SHILL .
  • What would *realy* help...

    Would be to show the whole IP/name of the server serving up the sh[patch]. From the links showing the hack, the IP seems to be 58.65.2xx.180 (maybe 25x for the third octet).

    Some of us would like to program our firewalls and HOSTS files to keep from being redirected to the sh[patch]trap.
    Mr. Roboto
    • Third octet

      >>>maybe 25x for the third octet

      39

      Be careful out there.

      _ryan
      Ryan Naraine
      • 239

        Correction: 239

        _ryan
        Ryan Naraine
  • important story, but sensationalism ruins it

    this is an important piece of information to get out, particularly that these web sites need to be avoided until they've been taken down and cleaned and protected, and that users need to update their windows & ie software and their anti-virus defs. & tools.

    however, the articles good info is [b][i]utterly ruined[/i][/b] by ryan naraine's sensationalist headline and chicken little crying forth, [b]OHMIGAWD! IT'S ALL THE RUSSIAN MOB!!![/b]. puh-leez.

    the truth, and naraine should well know this and report it as such, the mpack exploit tool kit may have originated with russian hackers and/or mob ties, but the truth is this tool kit can be sold to [b][i]anyone[/i][/b] in the world who could have hacked these italian tourism web sites.

    the truth is, and naraine knows this also, the fbi and foreign police agencies like interpol do [b][i]not[/i][/b] know yet who specifically hacked these thousands of italian tourism web sites, only that they probably purchased the mpack tool kit from the russians to do it.

    the reuters article on this is far more sober and even handed, and gives users the info they really need to avoid being infected ?

    http://www.reuters.com/article/internetNews/idUSN1838812020070618

    and yes, for those wondering what OS, it is windows, and an older exploit in i.e. that is the vulnerability. updating all your windows security and i.e., as well as all your anti-virus defs. and tools is highly recommended. also, avoid booking that italian dream vacation for a little bit, at least until all those sites have been taken down, cleaned and protected. ;o)

    that, or use firefox or apple's safari for windows for your web browsing. or just use a mac or linux in general. ;o)))

    [b][i]this[/i][/b] is the kind of non-sensationalist, but basic nuts and bolts good information based on the facts that users really need to read. not the fact that naraine has some sort of hard-on for blaming things on the russian mob when the truth is the fbi and other foreign police agencies still don't know who really pulled off this "italian job." whomever is naraine's editor should really call him to task for trying to garner more web hits through needless sensationalism when he [b][i]knows[/i][/b] those are not the facts as of yet.
    faddah
    • Hang on a minute.

      Are you sayng its Windows SERVERS that have been hacked? Don't think so...
      No_Ax_to_Grind
      • Erm...

        www.adriahotel.it at least runs (or ran) Windows Server 2003, with IIS 6.0, so it is just possible that windows servers are being hacked/owned. Have a nice day.
        zkiwi
        • I can't believe how offended No_Axe & NonZealot have become over this .

          Not to worry guys , when this is all over with I won't even mention it in the future . NOT ! This is one good day . I jope your feelings got crushed over this one . Security , schmasurity my *ss . Thats what happens when you live on the dark side . This one was coming for the longest time . HAVE A NICE DAY/NIGHT !!!


          "In a world without walls & fences , who needs windows & gates."
          Intellihence
          • Huh?

            There's no evidence what server OS(es) were hacked, and the exploits were all for patched vulnerabilities.

            Plonk.
            rtk