Security researchers at Symantec have verified that a large-scale web attack targeting Italian web sites and their users is underway. The attackers exploited vulnerabilities at the ISP and web hosting provider level to add snippets of IFRAME code to hundreds of popular Italian web sites, including those of IT companies, car rental firms, tax services, city councils, and hotel and travel destinations. The compromised web sites attempt to use exploits in unpatched versions of Internet Explorer, QuickTime, Windows 2000, Firefox, WinZip, and Opera, in order to install malware packages on end users' computers.

The attackers used a "commercial" malware kit called MPack, which is sold by a Russian gang. Currently at version 0.86, MPack provides would-be malware installers with a complete package that can be installed on any web server that runs PHP with an SQL database. The owners of MPack have been selling it to other criminal organizations for between $700 and $1,000 a pop, with additional exploit modules available for between $50 and $150. For an additional $30, the MPack owners will include a feature that helps prevent the malware from being detected by antivirus programs.

Once MPack is installed, the attackers need to compromise popular web sites (as was done in the Italian attack) in order to inject IFRAME code. The site's HTML files do not need to be directly compromised, as the code is added dynamically when the page is sent by the server—this makes it less likely that web site owners will notice that anything suspicious is going on.

The IFRAME code then adds a request to the MPack server itself, which analyzes the HTTP request header received from the user's web browser. It uses this information to determine which exploit it will try to use against the user. The MPack server stores data about which exploits have been tried and which were successful, and even provides the attacker with a handy "management console" to keep track of how many hosts have been compromised. MPack was first discovered for sale in a Russian forum in December 2006, and the security firm PandaLabs has provided a detailed analysis (PDF) on its web site.

The rise of off-the-shelf malware packages is another indication that compromising users' computers has become a huge business and especially attractive for criminal organizations. The risk of detection and capture is low: the attackers typically install MPack on a compromised web server, and the malware itself can be hosted on any number of servers. Even if an MPack server is discovered and shut down, any users who have infected by the exploits that MPack uses will continue to generate revenue from whatever spyware the attackers choose to install on the compromised systems.

The advent of directed attacks on popular web sites makes it harder for users to practice skeptical computing, as one does not typically expect to get attacked by a popular tourist destination's web site. The only solution is for both web site operators and end users to ensure that their software—including third-party software—is kept up to date.