More details on MPack web attack toolkit
The Internet Storm Center has published an analysis by iDefense of the MPack web attack toolkit and the attacks on internet users currently under way. According to this analysis, MPack is the latest and most powerful tool to emerge from the Russian underground, and is being sold for between 500 and 1000 US dollars. According to Verisign, the tool's author promises buyers a 45 to 50 percent chance of successful attacks. MPack has an integrated statistics function which informs its operator of the number of PCs attacked and the success rate of infections. Version 0.9 of MPack includes exploits for the ANI vulnerability and vulnerabilities in the MDAC function, Windows Media Player, Microsoft Management Console, XML functions, WebViewFolderIcon, QuickTime and WinZip.
The starting point for the current attacks is primarily websites located in Italy. The IFrames located on these web pages, which are needed for the attacks, were probably added during infiltration of the servers. The route is said to be a vulnerability in the hosting configuration application cPanel. Infiltration of a hosting server can allow hundreds of websites to be compromised and manipulated simultaneously. In autumn 2006 a vulnerability in cPanel was exploited for a mass hack at HostGator, as a result of which visitors were infected with a trojan via the VML vulnerability in Internet Explorer 6.
As soon as a victim visits a prepared web page, his browser loads additional code from the MPack server via the integrated IFrame. After analysing the operating system and browser the attack module tries out multiple exploits until it scores a hit - or runs out of exploits. If it is successful, the server installs malware onto the PC. iDefense does not state whether or not MPack is able to infect non-Windows systems. The source code for MPack certainly includes switches for other browsers, such as Firefox and Opera. Currently MPack is only exploiting known vulnerabilities for which updates are available.
One of the pieces of malware installed is the banking trojan Torpig. According to iDefense, Torpig can be traced to the Russian Business Network (RBN), currently the source of many internet attacks. The RBN, which is also involved in phishing and child pornography, appears to be based in St Petersburg.