‘Italian Job’ trojan could lead to future localized attacks


Security researchers said today that the recent MPACK-aided trojan attack is a sign that future mass-attacks may become increasingly localized.

The MPACK delivery device for malware was used to propagate trojan attacks this month, mostly affecting users in Italy.

Dave Cole, director of Symantec Security Response, told today that MPACK-related attacks are unique both for their use of existing websites and regional nature.

"If (attackers) are using an existing site where there is already traffic, people expect that the site is benign and they’re not expecting (an attack)," he said. "The other big ticket thing is that historically, threats have been global in nature…if you look at this attack, it was really limited to Italy. A lot of these more deceptive attacks have pushed the threat to where it’s really more regional."

Ken Dunham, director of the rapid response team at VeriSign iDefense, said on Wednesday that a Russian underground hacker named $ash was selling the MPACK device for between $500 and $1,000.

The hacking tool exploits a number of Windows flaws and claims a 50-percent success rate in silent attacks launched against web browsers, according to Dunham.

"The Russian Business Network (RBN) is one of the most notorious criminal groups on the internet today. A recent MPACK attack installed Torpig malicious code hosted on an RBN server. RBN is closely tied to multiple attacks including cPanel exploitation, VML, phishing, child pornography, Torpig, Rustock and many other criminal attacks to date," he said. "Nothing good ever comes out of the Russian Business Network net block."

Researchers said the attack infected nearly 10,000 websites by Monday.

Commonly referred to as the "Italian Job" trojan due to the majority of infected pages being hosted in Italy, the malware downloads a keylogger designed to steal banking and confidential information through a wide range of web-infection downloads.

Randy Abrams, director of technical education at ESET, told today that users and administrators must keep their systems patched to prevent similar attacks.

"It’s like if you don’t have a lock on your door and you catch a burglar in your house and then you don’t do anything to fix the door. If users keep their (operating systems) and their applications patched, they’re not going to be impacted by MPACK," he said.





Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.