Massive MPACK Compromise

Published: 2007-06-18
Last Updated: 2007-06-18 21:34:24 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)

If you're confused and thinking of the mime packer at this point, then
you haven't heard of "the other" mpack.  Let me introduce to you the
relatively new kid on the block.  MPACk is a tool that was first
discovered in December of 2006 by PandaLabs.

Its an PHP based application designed to run on a server.  With it
comes several different exploits (you can buy new ones to add on)
which can be used to compromise a user's system based on what they are
running.  There are different methods to get a user to access the
compromised server.  One of the more popular methods being used right
now is an IFRAME.  Websites are compromised and IFRAMES are placed on
the sites pointing to the MPACK server.

Another interesting characteristic of this tool is the fact it has a
database backend.  What this allows is the tracking of information and
report generation on all the infected systems.  Right now its being
reported by Websense that there are over 10,000 compromised systems
all with IFRAMES pointing to the MPACK server.

As a side note, keep your eye out for another tool called
DreamDownloader that is usually sold with MPACK.  DreamDownloader is
dangerous script kiddie toy.  All they have to do is tell the tool the
URL where the file is located that they want downloaded and it creates
an executable (with your choice of packers) that carries out the
process.

For more information, check out these sites:

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=782
http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html
http://blogs.pandasoftware.com/blogs/pandalabs/archive/2007/05/11/MPack-uncovered_2100_.aspx
http://blogs.pandasoftware.com/blogs/images/PandaLabs/2007/05/11/MPack.pdf

Keywords:
0 comment(s)

Comments


Diary Archives