19 June 2007, 10:55

Large scale attack on web users underway

A number of security software vendors are currently warning of a large scale attack on web users. Websense, for example, claims to have discovered more than 10,000 European websites which attempt to infect visitors with trojans. These are generally non-malicious servers which have been penetrated and had an additional IFrame added to their web pages - this requires just a single line of code, unlikely to be noticed by a web administrator during normal operations.

The IFrame downloads code from another server, on which the web exploit toolkit MPACK is in use. This is apparently able to recognise the user's operating system and browser and test out exploits explicitly tailored to these. The toolkit is thus capable of exploiting unpatched vulnerabilities not only in Internet Explorer, but also in Firefox and Opera. Vulnerabilities in QuickTime are also exploited. However, MPACK appears to exploit only known vulnerabilities for which vendor updates have long been available.

If the integrated statistics provided by MPACK are to be believed, more than one hundred thousand users have already downloaded the infected web pages and more than ten thousand users have already infected their PCs with malware. This malware apparently sniffs out bank details and records keyboard input. Panda Software has published a detailed analysis of MPACK on its website: MPACK uncovered. Avira recommends blocking access to the MPACK server, which has the IP address 64.38.33.13.

A screenshot that has been published on the Trend Micro blog that shows what an IFrame pointing to an MPACK server might look like. Users should, where appropriate, check their own web pages for similar entries and remove them. Manipulation is additionally an indication that there are security vulnerabilities in the system, via which attackers can gain entry. Web site owners should conduct further analysis.