R. Fink | Can't just forget about this cyberhit

The Packet Rat

Packet Rat

Michael J. Bechetti

'Well, here we go,' the Rat mumbled as he worked his way through his morning threat report. 'Yet another reason to distrust Web 2.0.'

The whiskered one's worry lines were deepening because of a recent Trojan horse that has been sweeping across Web sites, infecting more than 10,000 sites with a stealthy malware downloader.

A large number of the sites affected thus far are in Italy and Spain, leading Trend Micro to dub the attack 'The Italian Job.'

Apparently a professional hit by hardened cybermobsters, the malware scare came on more abruptly than the end of the last 'Sopranos' episode, leaving site managers scrambling to figure out what had happened.

Although none of the Rat's sites has been attacked, he's concerned because the attack has affected a variety of entertainment, travel and music sites ' the kinds of sites he's always trying to keep users from visiting from inside his network anyway.

A site that tries to collect money for Mother Teresa's charities and a Bon Jovi music site were among those compromised. 'Bon Jovi's site was attacked?' he agonized. 'Geez, how many Bon Jovi fans do I have? Dozens at least. ''

The evil Web attack, which uses two already-patched Windows vulnerabilities, redirects users from the Web site they visited through two servers and attempts to download more nasty bits of software onto their systems, documenting for later exploits the vulnerabilities of each target system.

Although no major government sites were infected, the fact that more than 10,000 sites were taken over within a week has many Web watchers worried.

But where the Web nasty has managed to inject itself is what freaks the Rat out: Thousands upon thousands of sites that use JavaScript have been affected, and the software being used to do it is so professionally written that it even includes a management console.

MPack, the Trojan in question, is written in the PHP scripting language and has been characterized as professional-quality software.

The hackers inject it into sites by exploiting various JavaScript errors and other vulnerabilities and ' inserting an IFRAME element into their pages ' opening a connection to another Web site within the page.

Some of the attacks have also involved typo-squatting ' creating bogus sites that use frequent misspellings of site names to catch those with bad keyboarding skills.
MPack keeps meticulous track of the systems it infects. One of the 10,000 sites infected had compromised more than 10,000 clients before it was discovered.

Which leaves the Rat wondering: Where can he hire the guys who wrote this software?
'Heck, my own remote-client management software doesn't have this good a metrics package,' the cyberrodent sighed as he looked at screenshots of one infected server's secret console.

'Maybe if I cut a deal with these guys,' the Rat thought briefly, 'they can solve my Web VPN patch distribution problem for me, turning their powers to good instead of evil.'

But of course, there was the small issue of getting a group of allegedly Russian cybergangsters security clearances.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above