On the IP page where the affected browser is initially redirected, the malware toolkit statistics page displays information on how users visiting legitimate Italian Web sites are getting redirected to the host from where the download chain begins.
The spreading mechanism is a complex chain, but it relies on Web site owners being unaware that they are compromised, and Web site users being unaware that surfing through seemingly legitimate pages can actually be part of an infection process.
Once the user visits any of the said Web sites, the affected computer is directed to another IP address that contains the malicious JavaScript detected as JS_DLOADER.NTJ. This JavaScript then downloads a new member in the infection series detected as TROJ_SMALL.HCK. Trying to cause a buffer overflow on the user's Internet browser, JS_DLOADER.NTJ exploits browser vulnerabilities. Through this, it is able to download TROJ_SMALL.HCK. On initial testing, TrendLabs researchers observed that this malicious JavaScript appears to be "browser-aware" in that it can choose which vulnerability to take advantage of depending on the browser.
TROJ_SMALL.HCK, in turn, downloads TROJ_AGENT.UHL and TROJ_PAKES.NC. TROJ_AGENT.UHL can act as a proxy server that allows a remote user to anonymously connect to the Internet via an infected computer. TROJ_PAKES.NC, on the other hand, is dumped in the user's temporary folder and downloads the keylogging information thief TSPY_SINOWAL.BJ.
