MPack: the Strange Case of the Mass-Hacking Tool

[Symantec]

MPack: the Strange Case of the Mass-Hacking Tool
<p>You always thought that by staying clear of the dark alleys of the Internet and visiting only “reputable” websites, you would be safe from attacks and dubious content. I am afraid that is not enough. My colleagues Elia Florio and Hon Lau reported recently (<a href="http://www.symantec.com/enterprise/security_response/weblog/2007/06/italy_under_attack_mpack_gang.html">here</a> and <a href="http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html">here</a>) about legitimate sites that had been compromised to include a malicious IFRAME that, without your knowledge, redirects you to a site serving exploits. </p>

<p>As Elia mentioned, thousands of sites (mostly Italian, but with several other nationalities included) were compromised. We were puzzled as to how the MPack gang had managed to hack so many sites in a short period of time, and how they could inject the malicious iframe so quickly. </p>

<p>The MPack gang appears to be using an IFRAME Manager tool to automate the task on a large scale. This is basically an FTP updater client, written in PHP language, that runs on a webserver with MySQL as back-end. It takes as input a list of website administrator accounts (possibly obtained in the black market). It then periodically checks the home pages of those sites to inject a chosen IFRAME into their code.</p>

<p><br />
<a href="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/06/MPack%20lg.html" onclick="window.open('http://www.symantec.com/enterprise/security_response/weblog/upload/2007/06/MPack%20lg.html','popup','width=799,height=611,scr ollbars=no,resizable=no,toolbar=no,directories=no, location=no,menubar=no,status=no,left=0,top=0'); return false"><img src="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/06/MPack%20sm.jpg" width="370" height="283" /></a></p>

<p><br />
This iframe manager is another example of a very user-friendly tool with a clear intent of being resold to multiple hacking groups. As such, it offers a number of interesting features. It allows for the iframe to be injected at the top or bottom of the page and you can use regular expressions when defining the pages to be compromised, such as index[.php|.htm|.html]|default.asp. To maximize the return-on-investment, the tool can check the Google PageRank for the potential websites before injecting the iframe, allowing you to select any number of sites with a certain PageRank in a certain country. Furthermore, the tool can be left running and will cycle through the list of sites and re-inject the iframe, should the pages have been cleaned by the site administrator. </p>

<p>To assist the miscreants in this competitive hacker-eat-hacker world, the tool also allows for the removal of any competitors’ iframes injected in the page. And of course, extensive logs and statistics are provided.</p>

<p>This tool itself however, cannot hack the websites; it relies on a list of compromised credentials to insert the desired iframe into the websites. Therefore a simple clean-up of the page is not sufficient; the site administrator’s credentials need to be changed. To protect yourself as a web surfer, make sure your operating system is up to date with latest patches as well as your anti-virus program.</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/06/mpack_the_strange_case_of_the.html
http://www.symantec.com/enterprise/security_response/weblog/2007/06/mpack_the_strange_case_of_the.html
Tue, 19 Jun 2007 11:39:29 -0800