Complex Virus Infection on Italian Tourist Websites

A virus attacking Italian tourist websites in thousands helps in theft of financial data on the visitors' computers. David Perry, a spokesman for Trend Micro, a web security company in Japan warned users not to go to these sites. AGI news published this on June 19, 2007.

The virus called "The Italian Job" reportedly infected 4,500 sites by installing a Trojan horse program that captures visitors' information including credit card details. It then passes the information to a Chicago-based server. On installing the malicious program, the hackers gain full command over the sites.

The evil actions can continue to work from any place in the world if the server in Chicago is shut down. To circumvent this situation, users need to update their Internet Explorer version by logging onto www.microsoft.com. Perry stressed that this hacking case was the most risky one ever recorded. AGI news published this on June 19, 2007.

Perry said the reason why Italy was under attack is not known. It is also not known how many PCs the 'Italian Job' virus had infected in the country, with maximum number of tourists both domestic and foreign.

The spreading mechanism of the virus is quite complex. It basically depends on unaware website owners who do not know if their sites are compromised as well as visitors to those sites who are unwary of the infectious legitimate web pages that corrupt their PCs in the process.

The hacked lawful websites are the first-level URLs. They are basically Italian legitimate websites most of which advertise services for tourism, hotels, auto benefits, music, lotto and more.

The second and third-level URLs are those websites that are hacked to insert a damaging IP address into the HTML code that redirects users to another site hosting a JavaScript downloader, explains Trend Micro.

The third-level URL downloads yet another Trojan onto the target machine from a fourth-level URL. The fourth-level URL Trojan in turn downloads two more trojans from two separate fifth-level URLs.

This Trojan finally downloads an information stealer, a modified version of the SINOWAL Trojan from a sixth-level URL.

Related article: Complex Malware Trends Flourishing, Says PandaLabs

» SPAMfighter News - 7/3/2007