Analyzed data indicates that tens of thousands of users worldwide have already accessed compromised urls, oblivious to the threat as a result of their natural web surfing activity. The initial HTML malware takes advantage of a vulnerability in so-called "iFrames" that are commonly used on websites and commonly exploited. Trend Micro researchers believe it was initially probably an automated attack, created from a computer Trojan-making kit.
On the IP page where the affected browser is initially redirected, the malware toolkit statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the host from where the download chain begins.
The spreading mechanism is a complex chain, but it relies on website owners being unaware that they are compromised, and website users being unaware that surfing through seemingly legitimate pages can actually be part of an infection process:
1. First-level URLs are the compromised or hacked legitimate websites. They are legitimate websites primarily Italian and mostly advertising local services for tourism, hotels, auto-services, music, lotto and so on.
3. This third-level URL in turn downloads another Trojan into the target system from another fourth-level URL. This is the URL for TROJ_SMALL.HCK, which Trend Micro can also block.
4. The Trojan in turn downloads two additional Trojans from two different fifth-level URLs.These are the URLs for TROJ_AGENT.UHL and TROJ_PAKES.NC, both of which Trend Micro can block.
5. The PAKES Trojan then downloads an information stealer, a variant of the SINOWAL trojan, from another sixth-level URL.
TROJ_SMALL.HCK, in turn, downloads TROJ_AGENT.UHL and TROJ_PAKES.NC. TROJ_AGENT.UHL can act as a proxy server that allows a remote user to anonymously connect to the Internet via an infected computer. TROJ_PAKES.NC, on the other hand, is dumped in the user’s temporary folder and downloads the keylogging information thief TSPY_SINOWAL.BJ.