MPack Runs Rampant

The need to secure your Web servers has never been higher. In the past, many people worried about potential damage to their company's reputation should their site be broken into. After all, a defacement negatively affects not only a Web site but also a company's public image.

But there's another more dangerous aspect to keep in mind: Your site might be turned into a vicious attack vector, making you responsible for damaging any number of innocent peoples' computers. Anyone with a public-facing Web site has a serious responsibility to protect its visitors. And if you're hosting other peoples' Web sites, your level of responsibility is exponentially higher.

A case in point that clearly demonstrates the need for vigilance is the relatively new MPack tool--not to be confused with the compression software of the same name.

MPack is an automated, intelligent, server-based attack tool that's being used to infect untold numbers of computers. It's basically like Metasploit, except that targets are pushed towards MPack en masse. The tool is PHP-based and is a flexible attack platform complete with a back-end management and monitoring interface. The server components are used to deliver exploit payloads to browsers, and people place links to an MPack server into Web pages all over the Internet.

The primary motive of MPack is to generate income through criminal activity. Its creators have been selling the tool for about $700 since at least December 2006 along with attack modules that evolve as new attack types become possible. According to Panda Labs, new modules cost anywhere from $50 to $150 depending on the level of exploitation that a module can carry out.

Recently, intruders using MPack established domains to host Web sites to contain links to attack code and broke into numerous Web hosting accounts (and quite possibly privately operated Web sites) to include attack code in the pages of those unsuspecting, compromised Web sites. The attack code typically consists of IFRAME tags that tell a visitor's browser to load a malicious Web page inside an existing Web page. The browser can be instructed to load a malicious Web page without the user having to take any action other than to visit the compromised Web site, and the IFRAME can be coded to not even be noticeable on the compromised site. So the visitor might remain completely unaware that exploitation is taking place.

The malicious Web page contains code that, when run, can determine the visitor's OS and browser type and then deliver corresponding exploit code. Code exists to exploit Windows, Linux, BSD, and Mac OS systems as well as at least seven browsers and various components, such as Apple QuickTime, WinZip, and other common tools. MPack can also be made to instruct a vulnerable computer to download malicious files. From there, a huge range of possibilities opens up.

Panda Labs reports that one Web server recently inspected contains 7,644 Web pages infected with links to MPack-based exploits. Exactly how many sites and pages have been infected remains unknown; however one trusted source told me that at least one major hosting company (which I won't name) found that its servers were compromised through a combination of exploits, and as a result, a large number of index.php files were overwritten to contain exploits based on MPack.

In that incident, I was able to take a look at several of the affected sites because I know the operators of those sites. The intruders made a puzzling choice to completely overwrite every file that contained the string "index" with a simple IFRAME tag to launch exploits. Since all the index pages for the affected sites suddenly started showing up empty, the break-in became obvious sooner rather than later.

I have no idea why the intrusion was made so obvious. Had the intruders inserted an IFRAME tag into existing HTML instead of overwriting pages entirely, the intrusion could have gone undetected for a very long time, and the number of infected computers would have risen tremendously.

If you're interested in more details about MPack, Panda Labs published a detailed analysis of the MPack attack platform.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.