MPack: Getting More Dangerous

[Symantec]

MPack: Getting More Dangerous
<p>In our <a href="http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html">previous analysis</a> we discussed ‘What is Mpack and how it works’. We had reviewed MPack version 0.84 in our previous blog. This time we will compare it with an updated version, MPack v 0.91.</p>

<p>1. The exploits include the existing ones present in v0.84. The list of exploits is present at the end of this blog.</p>

<p>2. There have been some changes to the management and reporting interface. A new file admin.php is introduced and stats.php has been removed.</p>

<p>The developers of the tool kit have provided admin.php for secure control and configuration of the Mpack installation. The Mpack owner can set username and password protection through settings.php.</p>

<p>There have been changes in the user interface, cosmetic changes like better styles used to view, and copyrighted logo: (c) 2007 DreamCoders – Logo.</p>

<p>MPack toolkit v0.91 also comes with a legal disclaimer: </p>

<p>Mpack is created solely for test purposes. You are prohibited to use it in conditions violating local or international laws. Authors hold no responsibility for any damage, direct or indirect, caused by usage of this software.</p>

<p>3. Some additional files are a part of the installation to ensure authentication.<br />
<blockquote>a) Logincheck.php: This file checks the authentication to admin.php. check query, POST -> check l&p if passed, GET -> check cookie and\or send auth page.</p>

<p>b) Notfound.php: If the login check fails, then it will display not found message.</blockquote><br />
4. Mpack has also introduced some more encryption and obfuscation to increase the detection complexity. This is achieved through two files Crypt2.php and UrlWorks.php. UrlWorks.php is used for encoding and decoding URLs, where as Crypt2.php includes:<br />
<blockquote>a) New encoding scheme<br />
b) Checks * $text - text/js code for encoding ,* $passed - passes for encoding * $isJS - $text is JS code<br />
c) Text, JavaScript code and variables also can be packed now<br />
d) More randomization techniques<br />
e) function p4ck3r_getRandomFuncOrVarName() <br />
{ <br />
$charsAlpha = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVW XYZ"; <br />
return substr(str_shuffle($charsAlpha),0,2+rand() % 2); <br />
}</blockquote><br />
5. There are some modifications in the Mpack loading pages (Index.php)<br />
<blockquote>a) Ability to provide targeting of specific geographies through the ability to provide a predefined country list which the Mpack owner wants to infect. Mpack owners can list their favorite countries here:<br />
settings.php is modified to include a $CountryList variable.<br />
$CountryList ="RU US UA"; 2-letter codes only</p>

<p>b) Additional statistical reporting on browser usages and exploitation. The statistics now updates information of the browser type infected in addition to the country hits.</blockquote><br />
6. Vml_dbg.php is removed in Mpack v 0.91. This file, when run, creates a file with the Vulnerability in Vector MarkupLanguage Could Allow Remote Code Execution - MS06-055 exploit</p>

<p>7. The exploits Available in v0.91<br />
<blockquote>a) MS06-014 (MDAC RCE Vulnerability)<br />
b) MS06-006 (Windows Media PlayerPlugin RCE Vulnerability)<br />
c) MS06-044 (Microsoft Management Console Vulnerability)<br />
d) XML overflow XP/2k3 <br />
e) WebViewFolderIcon overflow<br />
f) WinZip ActiveX overflow<br />
g) QuickTime overflow<br />
h) ANI overflow</blockquote></p>

<p>Document created by Parveen Vashishtha, with assisted research by Umesh Wanve.<br />
</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/08/mpack_getting_more_dangerous.html
http://www.symantec.com/enterprise/security_response/weblog/2007/08/mpack_getting_more_dangerous.html
Thu, 16 Aug 2007 11:51:22 -0800