1. Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007

2. Copyright 2007 - Trend Micro Inc. 2 Classification Agenda How It Works Status Messaging/Positioning Trend Micro Protection Best Practices Additional Information

3. Copyright 2007 - Trend Micro Inc. 3 Classification How It Works “The Italian Job” is a Web threat that uses multiple components to surreptitiously infect a targeted group of users. First, URLs of legitimate websites are compromised by HTML_IFRAME.CU, a malware that takes advantage of an iFrame vulnerability. Many of these sites are related to tourism and travel, entertainment, autos and adult content. ‚When a user visits a compromised website, s/he is redirected to a second site, which contains a Javascript downloader, JS_DLOADER.NTJ. ƒDLOADER exploits browser vulnerabilities to download a Trojan, TROJ_SMALL.HCK, onto the target system. „Two additional Trojans are downloaded, TROJ_AGENT.UHL and TROJ_PAKES.NC. …The PAKES Trojan goes on to download an information stealer, a variant of the SINOWAL Trojan. The AGENT Trojan can act as a proxy server that allos a remote user to anonymously connect to the Internet via an infected PC.

4. Copyright 2007 - Trend Micro Inc. 4 Classification The Infection Chain

5. Copyright 2007 - Trend Micro Inc. 5 Classification Status Over 3K websites in Italy have been compromised Approximately 12-15K visitors to these websites have been infected –While the majority of infections have been to Italian users, users in Spain and the US have been affected and, to a lesser extent, users from other parts of the world as they access the infected sites. One ISP hosted 90% of affected sites; a second hosted the remaining 10% A malware toolkit, MPack v.86, was used to create the initial downloader. Previous versions of this toolkit were available for purchase via a Russian website for ~$700. Trend’s WRS and URL Filtering were updated to block the downloader and Trojan as of June 16

6. Copyright 2007 - Trend Micro Inc. 6 Classification Messaging/Positioning The Italian Job represents a textbook example of today’s threat environment –Web-based, blended, sequential, targeted, profit-driven It is highly likely that this type of attack will occur again, affecting users in another region –Javascript and the other types of technologies that enable the goodness of Web 2.0 are highly susceptible to such attacks –Malware toolkits are available for sale on the Internet and frequently updated –Automated tools and technologies, such as bots, enable speedy proliferation of malware and crimeware Trend Micro provides a variety of innovative products that protect both home users and businesses from this type of attack

7. Copyright 2007 - Trend Micro Inc. 7 Classification Trend Micro Protection All products below provide protection against the Italian Job Products that block the URLs from malicious websites: –OfficeScan 8.0 –Trend Micro Internet Security 2007 –InterScan Gateway Security Appliance 1.0, 1.1 and 1.5 –ISVW 6.0 –InterScan Web Security Appliance (2500 v2.5)/Suite Products that scan for malware and spyware downloads: –IMSS 7.0 –IMSA 5000 v7.0 IGSA 1.0, 1.1 and 1.5 –SMEX 7.0 and 8.0 –SMLN 3.0 –IMHS –Trend Micro Internet Security 2007 HouseCall detects and cleans the malware associated with this threat

8. Copyright 2007 - Trend Micro Inc. 8 Classification Best Practices -- Corporate Users Deploy HTTP-scanning and make sure users cannot bypass. Force users to forward all web requests to the scanning device and deny them otherwise. Do not allow unneeded protocols to enter the corporate network. The most dangerous of them are P2P communication protocols and IRC (chat). Deploy vulnerability scanning software in the network and keep all applications patched. Restrict user privileges for all network users. Deploy corporate anti-spyware scanning. Support User Awareness campaigns.

9. Copyright 2007 - Trend Micro Inc. 9 Classification Best Practices – Home Users Beware of pages that require software installation. Do not allow new software installation from your browser unless you absolutely trust both the Web page and the provider of the software. Scan with an updated antivirus and anti-spyware software any program downloaded through the Internet. This includes any downloads from P2P networks, through the Web and any FTP server regardless of the source. Beware of unexpected strange-looking emails, regardless of their sender. Never open attachments or click on links contained in these email messages. Enable the “Automatic Update” feature in your Windows operating system and apply new updates as soon as they are available. Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running.

10. Copyright 2007 - Trend Micro Inc. 10 Classification Additional Information HTML_IFRAME.CU: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= HTML_IFRAME.CU http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= HTML_IFRAME.CU JS_DLOADER.NTJ: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= JS_DLOADER.NTJ http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= JS_DLOADER.NTJ TROJ_SMALL.HCK: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= TROJ%5FSMALL%2EHCK&VSect=P http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= TROJ%5FSMALL%2EHCK&VSect=P TROJ_PAKES.NC: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= TROJ%5FPAKES%2ENC&VSect=P http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= TROJ%5FPAKES%2ENC&VSect=P TROJ_AGENT.UHL: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= TROJ_AGENT.UHL http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= TROJ_AGENT.UHL TSPY_SINOWAL.BJ: http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp? GNAME=TSPY%5FSINOWAL%2EBJ http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp? GNAME=TSPY%5FSINOWAL%2EBJ