MPack Hacker Tool Claims 10,000 Compromised Web Sites

A Russian-developed hacker tool called MPack was being utilized last week in a Web attack that has compromised an estimated 10,000 Web sites, primarily in Italy but also in other parts of Europe, security researchers reported. As the largest such attack in recent memory, MPack shows how sophisticated hackers and malicious software developers are getting at compromising network security, and ups the ante in the ongoing battle against cyber crime.

Late Friday (June 15), computer security researchers started tracking the Web site hacks and resulting spread of malware, which some have dubbed the “Italian Job” because most of the infected Web sites are based in Italy and designed for Italian audiences. By Monday, the number of Web sites infected had reached 10,000, reported WebSense, a security software company based in San Diego, California.

MPack is a professionally written suite of hacker tools that was introduced to the black market by a Russian gang last December, according to security researcher Panda Labs, which is credited with discovering MPack and which last month published a timely report titled “MPack Uncovered.” You can download the report, which was written by Vicente Martínez and is in PDF format, here

According to Martínez, MPack was written in PHP and is designed to be hosted and run from a PHP server with a MySQL database. MPack includes a collection of functional modules (exploit modules, in MPack’s case), a graphical management console, and–like so many legitimate software products today–is designed to be ready to use “out of the box.” It costs about $700, according to Martínez’ report.

All that cyber criminals need to get started with their MPack ventures is to attract some Internet traffic to their MPack Web server. They do this in several ways, including hacking into Web sites and inserting a piece of malicious JavaScript and IFRAME code that redirects Web site visitors to their malicious MPack server, or to an intermediate server that then redirects the visitor to the MPack server. (This appears to be the way that the bulk of the Italian Job traffic was generated.) Alternative tactics include setting up so-called “typo-squatting” Web sites on popular domains to trap accidental visitors, sending out spam e-mails with malicious, embedded code, or even buying Google sponsored links.

Once the victim has been delivered to the MPack server, the MPack product analyzes the HTTP request header to figure out which OS and Web browser they’re using. Based on this information, the MPack product creates a tailor-made exploit cocktail that has the best chance of infecting the victim’s computer, starting with the most recent zero-day exploits first. (To be infected at this point, the user must have an unpatched vulnerability on his computer.) MPack’s developers also provide customers with regular updates that load exploit code for the most recently discovered vulnerabilities. The updates cost between $50 and $150. This intelligence and responsiveness is what makes the MPack code–and other hacker tools like it–so dangerous to the Web-browsing community.

Another interesting aspect of the MPack kit is the graphical control console that the product’s developers built into the software. Using this password-protected console, cyber criminals operating MPack in the wild can view statistics about how many victims they have drawn in, what country they’re from, and what operating systems and Web browsers they’re using. MPack developers created another tool called DreamDownloader that’s usually sold with MPack. It is a tool script kiddies may be attracted to. In many ways, MPack mirrors the latest in user interface design and tech support that many legitimate software companies create to attract and keep their business customers.

In a May 27 blog posting on MPack, a researcher with Symantec, Hon Lau, describes the danger of MPack. “The ongoing development of this MPack kit (currently at version 0.86) serves to underline the fact that the criminals are taking full advantage of the online world to generate their ill-gotten gains,” Lau writes. “There’s low risk of detection and capture, and even lower risk of physical danger in carrying out cyber crime. As one of the members of the Fujacks gang once boasted, ‘This is a better money-making industry than real estate.’ No wonder new attack kits and updates to existing ones keep cropping up.”

While MPack was making the biggest headlines last week, especially in Italy, it isn’t the only exploit tool popular with hackers and cyber criminals. Other products that make it easy for hackers to exploit vulnerabilities include the group behind the Metasploit and Webattacker products. Like MPack, Metasploit and Webattacker provide hackers and cybercriminals with easy-to-use and up-to-date automated hacking tools. In Metasploit’s case, interested parties can download the product from the Metasploit Web site at www.metasploit.com. The Webattacker product, which was created by a group of Russian developers at www.inet-lux.com, according to Wikipedia, is available on several hacker Web sites.

According to security software researcher Trend Micro, MPack was used to infect legitimate Italian Web sites that are related to tourism, the automotive industry, movies, music, tax, employment services, Italian city councils, and hotels sites. The attack appears to be timed to coincide with an upcoming Italian holiday, when Italians will be more likely to visit non business-related Web sites, Trend Micro says.

Most of the compromised Web sites appear to be hosted by the same Internet Service Provider (ISP), according to Trend Micro. Symantec says the compromise was “most likely some vulnerability or configuration issue at the ISP/hosting level.” It appears that somebody, or a group of people, made a mistake that has resulted in the infection of tens of thousands of PCs around the world.

The most important step that users can take to protect themselves from MPack is to apply security patches as soon as possible. As hackers get better and faster at devising exploit code for newly discovered or reported vulnerabilities, it shrinks the window of protection that users enjoy following the disclosure of a vulnerability. In many cases, it takes just days for hackers to develop and distribute exploit code for vulnerabilities announced and patched by Microsoft on the second Tuesday of every month–the so-called “Patch Tuesday” events. In recent years, it would take a week or more for the first exploits to come out, a sign of the escalating nature of the Web hacking game. In some cases, hackers discover the vulnerabilities first and release exploit code before the owner of the compromised product has a chance to patch it, which are so-called “zero-day” exploits.

While consumers are encouraged to apply security patches immediately, most large businesses and organizations must first test these patches before deploying them, lest they create conflicts with existing programs. These businesses and organizations must deploy and maintain more sophisticated security tools to provide protection from vulnerabilities during the critical days or weeks following the disclosure of security vulnerabilities.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot