MPack: Getting More Dangerous

In our previous analysis we discussed ‘What is Mpack and how it works.’ We had reviewed MPackversion 0.84 in our previous blog; this time we will compare it with an updated version, MPack v 0.91.

1. The exploits include the existing ones present in v0.84. The list of exploits is present at the end of this blog.

2. There have been some changes to the management and reporting interface. A new file, admin.php, is introduced and stats.php has been removed.

The developers of the toolkit have provided admin.php for secure control and configuration of the Mpack installation. The Mpack owner can set username and password protection by using settings.php. There have been changes in the user interface, cosmetic changes such as better styles used to view, and a copyright logo: (c) 2007 DreamCoders– Logo.

MPack toolkit v0.91 also comes with a legal disclaimer:

Mpack is created solely for test purposes. You are prohibited to use it in conditions violating local or international laws. Authors hold no responsibility for any damage, direct or indirect, caused by usage of this software.

3. Some additional files are a part of the installation to ensure authentication.

a) Logincheck.php: This file checks the authentication to admin.php. check query, POST -> check l&p if passed, GET-> check cookie and\or send auth page.

b) Notfound.php: If the login check fails, then it will display a 'not found' message.

4. Mpack has also introduced some more encryption and obfuscation to increase the detection complexity. This is achieved through two files: Crypt2.php and UrlWorks.php. UrlWorks.php is used for encoding and decoding URLs, whereas Crypt2.php includes:

a) New encoding scheme
b) Checks * $text - text/js code for encoding ,* $passed - passes for encoding * $isJS - $text is JS code
c) Text, JavaScript code and variables also can be packed now
d) More randomization techniques
e) function p4ck3r_getRandomFuncOrVarName()
{
$charsAlpha = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";
return substr(str_shuffle($charsAlpha),0,2+rand() % 2);
}

5. There are some modifications in the Mpack loading pages (Index.php)

a) Ability to provide targeting of specific geographies through the ability to provide a predefined country list that theMpack owner wants to infect. Mpack owners can list their favorite countries here:
settings.php is modified to include a $CountryList variable.
$CountryList ="RU US UA"; 2-letter codes only

b) Additional statistical reporting on browser usages and exploitation. The statistics now update information on the browser type infected in addition to the country hits.

6. Vml_dbg.php is removed in Mpack v 0.91. This file, when run, creates a file with the Vulnerability in Vector MarkupLanguage Could AllowRemote Code Execution - MS06-055 exploit

7. The exploits Available in v0.91

a) MS06-014 (MDAC RCE Vulnerability)
b) MS06-006 (Windows Media Player Plugin RCE Vulnerability)
c) MS06-044 (Microsoft Management Console Vulnerability)
d) XML overflow XP/2k3
e) WebViewFolderIcon overflow
f) WinZip ActiveX overflow
g) QuickTime overflow
h) ANI overflow

Document created by Parveen Vashishtha, with assisted research by Umesh Wanve.