It's something out of a Mario Puzo novel, interpreted by Neal Stephenson. Criminals, presumably operating out of Russia, hire qualified programmers to create exploits for recently patched vulnerabilities not just in Microsoft Windows, but in applications such as Apple QuickTime as well. The criminals then sell this package of exploits as a tool to others who then install the necessary code on servers around the world. Like the layers of an onion, the true criminals are protected by layers and layers of underlings who are the ones likely to be caught. Meanwhile, the godfathers, perhaps based in St. Petersburg, Russia, are making a killing by exploiting vulnerable Web browsers and vulnerable PCs, and laughing all the way to the bank.
What is Mpack
Mpack is the latest among many such tools for spreading malware on the Internet According to Symantec, Mpack or Web Attacker II is a collection of PHP software components designed to be hosted and run from a PHP server running a database on the backend. According to VeriSign-iDefense, there's at least one individual, named $ash, who sells MPack online for around $500 to $1,000. In one recent posting, $ash attempted to sell a "loader" for $300 and the whole kit, with optional modules of exploits, for $1,000. Even with the Mpack tool, $ash notes in his posting, the attacks are only 40 percent to 50 percent successful.
Components available with the latest release of Mpack (currently 0.86) include exploits for animated cursor, ANI overflow, MS06-014, MS06-006, MS06-044, XML Overflow, WebViewFolderIcon Overflow, WinZip ActiveX Overflow, and QuickTime Overflow.
Components available with the latest release of Mpack (currently 0.86) include exploits for animated cursor, ANI overflow, MS06-014, MS06-006, MS06-044, XML Overflow, WebViewFolderIcon Overflow, WinZip ActiveX Overflow, and QuickTime Overflow. What's important to note is that these are not zero-day exploits; patches exist. Therefore, the fully patched browser and PC stands a good chance of avoiding infection.
Mpack at work
This is the beauty of Web 2.0; while your browser displays the content you requested, it's making another call, a call out via the IFrame to en exploit server.
Recently, I talked with Roger Thompson of Exploit Prevention Labs, who has been talking about compromised legitimate Web sites for months. Thompson told me that in a majority of cases, there are about two dozen exploit Web servers around the world. They exist in remote corners of the world where local money keeps the machine on, the police out, and exploits flowing. In other cases, the exploits are on a server in place that's just simply hard to contact, such as remote China. Finding someone who is responsible who can shut down the server is itself a full-time job. You can hear from Roger on this topic in this week's Security Bites podcast
Mpack at work II
So say you access one of these compromised Web pages--what next? Mpack is a slick program. Like any corporate Web server, it reads and analyzes the HTTP request header sent from your browser. It immediately knows your browser version, your operating system, and sometimes whether you have add-ons such as QuickTime running. Mpack then searches through its database of tricks and, depending on the components installed on that Mpack system, responds with exploits appropriate for your computer.
Another method of attack is using an executable. Mpack sells a tool called DreamDownloader. Criminals enter the URL of their Mpack server, and DreamDownloader provides a file that bypasses firewalls, disables some antivirus scanners, detects virtual systems, and can be packed using common compression tools such as Upack, UPX, or Mew. $ash claims that the current release of Mpack is guaranteed not to be detected by antivirus scanners, and sometimes $ash or others provide a recent image from VirusTotal, which, upon submission, provides a snapshot of which antivirus vendors are or are not detecting the submitted file.
Torpig, Rustock, you name it
One example associated with Mpack is Torpig, a known Trojan horse that has been linked by security vendors to the Russian Business Network (RBN). RBN is a collective operating out of St. Petersburg, Russia, and is known to be responsible for a fair amount of child pornography, regular pornography, phishing attacks, and other online crimes. RBN servers have been known to host Torpig, Rustock (a Russian pump-and-dump stock scheme), and something called the Step57.info cPanel exploitation.
This past week, the cPanel attack was used on an Italian Web host, resulting in more than 8,000 Web sites being compromised within a handful of domains. These sites included car rentals, hotels, music, and sports. When an unsuspecting visitor looks up car rentals in Rome, an IFrame might silently call out to an exploit server and install malware on their PC.
Mpack's also a full-service Web tool, too
Say you bought the complete Mpack package for the purpose of click fraud, using the machines you compromised with Mpack to host remote-access software, turning these desktops into part of a larger botnet. If you're like Jeanson James Ancheta, maybe you want to earn money by having your zombie computers hit a page where you've placed a click-for-profit ad; with a thousand machines hitting one ad, you might generate a fair amount of cash. Well, Mpack provides the statistics to count your earnings early.
Within Mpack, there's a console that displays real-time statistics such as attacked hosts (total/unique), traffic (total/unique), and country (with information on traffic, loads, and efficiency). In posts on different security vendor sites, the latest seems to have hit Italy hard, followed by Spain, the United States, Germany, and France. For more, antivirus vendor Panda has this PDF file with granular detail on Mpack. And Symantec has a video of Mpack in action.
Sounds hopeless. It's not. First, make sure your PC is fully patched. Microsoft issues monthly software updates, although most Windows XP and Windows Vista machines automatically install these. Firefox sends out updates automatically as well. If you turn on Apple's update service, you'll get the latest QuickTime patches. For others, you'll need to check the vendor sites periodically.
For proactive defense, I like Exploit Prevention Labs' free Linkscanner tool. The latest versions run with both Firefox and Internet Explorer. What I like about Linkscanner is that the tool blocks the malicious IFrame as it is loading, allowing me to access a compromised page but without the compromise. McAfee SiteAdvisor also protects you against such attacks, but it throws the baby out with the bathwater, blocking access to the site entirely.
Given these recent Web attacks, are you taking additional steps to surf the Web safely? If so, what? Talk back to me.