Topic: MPack, Packed Full of Badness

[Amker]

A nasty piece of malware was sent our way this weekend that we are detecting as Trojan.Mpkit!html and Downloader. This malware is yet another malware distribution and attack kit in the same vein as other kits, such as WebAttacker. This kit, called MPack, is a professionally written collection of PHP software components designed to be hosted and run from a PHP server with a database backend. It is sold by a Russian gang and comes ready to install on a PHP server, and it also comes complete with a collection of exploit modules to be used out of the box.


How it infects computers

Once the server is installed and running, all the owner has to do is to start generating some web browser traffic to it. They can do this by various means including:

• Hacking into popular web sites and adding IFRAME snippets to its web pages.
• Setting up typo-squatting web sites on popular domains to trap accidental visitors.
• Spamming out emails with the IFRAME code embedded.


Typical Attack Scenario

In a typical attack scenario, a user enters in the URL of a legitimate web site into their browser. Unknown to the user, the web site they are visiting has been hacked into and the web pages tainted with malicious content.



1. A user accesses what they believe to be a legitimate web server through a web browser.

2. Unbeknownst to the user, the web server they are accessing has been hacked and the server responds with what they requested and some additional IFRAME code embedded within the HTML source.



3. Once the user’s browser receives the tainted HTML code, the IFRAME code causes the browser to make an additional request to another URL; in this case it makes a request to an intermediate server.

4. The intermediate server redirects the request to the final target server, which is the one hosting the MPack server.



5. The MPack server analyses the HTTP request header received from the user’s browser. Standard HTTP request headers contain information about the browser type and operating system used as well as other information. Once the MPack server determines what browser and operating system are used, it uses the information to select which exploits it will send to the user’s browser to try and exploit it. The server may try as many exploits as it has available or the targeted computer is compromised. Data is stored by the MPack server about the user’s computer, what exploits were used and successful, as well as the user's country of origin.



6. Once the user’s computer is compromised, the shell code directs the computer to download an additional file from the MPack server.

7. The MPack server responds with the requested file (file.exe or file.php). This is executed by the compromised computer and causes it to download further files from other sources.

Metrics Database

Since the creators of the MPack server are in the business of making money out of their creation, they understand how business owners (their customers) like to have a management console where they can control and monitor the state of their “business”. To address this need, they have created a handy metrics and control console page to allow the owner of the attack server to view how the server is getting on.

The owner of the page can access and view this console by using a URL with a username and password combination. The page contains details of how many different computers were attacked, how many attacks were successful, with what type of exploit and what browser or operating system. As you can see in the example below, a total of 10222 unique computers were compromised by this single server, which is a significant population of computers with which the owners of this MPack server can put to use in generating cash.



Also in the metrics page, we can see a breakdown of the visitors to the MPack server organised according to the country of origin. As you can see, a large proportion of the visitors are of Russian origin.
The image below represents an extract of the full country listing.




The ongoing development of this MPack kit (currently at version 0.86) serves to underline the fact that the criminals are taking full advantage of the online world to generate their ill-gotten gains.
There’s low risk of detection and capture, and even lower risk of physical danger in carrying out cyber crime. As one of the members of the Fujacks gang once boasted “This is a better money making industry than real estate.” No wonder new attack kits and updates to existing ones keep cropping up.

Web users would be well advised to keep their software and operating systems up to date with latest vendor patches and updates; and also follow the standard security best practices. Users of Symantec security software will be glad to know that we already detect the malicious web pages as Trojan.Mpkit!html. The downloader component is detected as Downloader.[/img][/img]

[attachment deleted by admin]