Russian malware storm brewing?

Chenghuai Lu, a senior threat analyst at the Tokyo-based antivirus vendor, recently uncovered a site with several hundred malicious programs and traced the site's server to a Russian IP address. Among the harbored malware were examples of three Trojan families: Dropper.cko, Clicker.qu and Polycrypt.g. All three clans typically hijack Internet Explorer on compromised PCs and direct users to adult Web sites.

Meanwhile, another Trend Micro researcher, senior software engineer Feike Hacquebord, discovered a large number of Italian-language Web sites that at first glance appeared to be compromised with malicious IFRAMEs, inserts in the HTML coding of a page, often JavaScript, that can hijack a PC whose browser visits the site. On second look, however, the Italian-style sites do not appear to have been hacked but instead were created with the IFRAMEs in mind. According to Trend Micro, the IFRAMES point to the malware-packed Russian site found by Lu.

"Looking at these massive samples of malware, we can't help to think that there's something brewing in Russia," said Carolyn Guevarra, a third researcher at Trend Micro, on the team's blog yesterday. "We have just seen these cybercriminals pull the 'Italian Job' recently," she added. "Are we now seeing a 'Russian Uprising' coming our way?"

Guevarra's Italian comment refers to a large-scale attack about six weeks ago that involved more than 10,000 hacked sites hosted in that country. Those attacks were guided by Mpack, a multistrike exploit tool kit that hackers had deployed on one or more servers; the compromised sites secretly directed users to an Mpack-equipped server, which then tried a number of exploits on the PC.

Trend Micro has blocked the malicious Web sites for its customers and is working to develop more information on the possible attack plot. "More details soon," Guevarra promised.

Go Back

Source: Computerworld.com