Researchers at Trend Micro are reporting that as many as 10,000 Web sites have been infected with malicious code that redirects unsuspecting users to a server booby-trapped with drive-by exploits—part of a wave of attacks originating in Italy and now spreading through Europe.
Dubbed the “Italian Job” by Trend Micro, the attack was first uncovered June 15. Legitimate sites were hacked to include a malicious iFrames tag redirecting visitors to servers armed with a tool called MPack, an exploit tool that can target security holes in multiple products.
According to Trend Micro, once a user visits any of the compromised Web sites, the affected computer is directed to another IP address that contains the malicious JavaScript detected by the company as JS_DLOADER.NTJ.
Click here to read about a keylogging variant of a Russian Trojan that dodges anti-virus detection.
The JavaScript attempts to exploit a buffer overflow vulnerability in unpatched browsers to download TROJ_SMALL.HCK, company officials said.
Since June 15, the number of sites affected by the attack has multiplied several times over, said David Perry, global director of education for Trend Micro, based in Cupertino, Calif.
“There are already somewhere between 5,000 and 10,000 Web sites affected by this,” Perry said. “There’s nothing that all these Web sites have in common. I’m calling it a Web-idemic.”
According to Websense, based in San Diego, the regions most affected by the situation have been Italy and Spain.
In a blog posting June 15, Symantec researcher Elia Florio advised Italian users to update their anti-virus products and make sure all the recent patches are installed on their machines.
