A nasty piece of malware was sent our way this weekend that we are detecting as Trojan.Mpkit!html and Downloader.This malware is yet another malware distribution and attack kit in thesame vein as other kits, such as WebAttacker. This kit, called MPack,is a professionally written collection of PHP software componentsdesigned to be hosted and run from a PHP server with a databasebackend. It is sold by a Russian gang and comes ready to install on aPHP server, and it also comes complete with a collection of exploitmodules to be used out of the box.
How it infects computers
Once the server is installed and running, all the owner has to do isto start generating some web browser traffic to it. They can do this byvarious means including:
• Hacking into popular web sites and adding IFRAME snippets to its web pages.
• Setting up typo-squatting web sites on popular domains to trap accidental visitors.
• Spamming out emails with the IFRAME code embedded.
Typical Attack Scenario
In a typical attack scenario, a user enters in the URL of alegitimate web site into their browser. Unknown to the user, the website they are visiting has been hacked into and the web pages taintedwith malicious content.
1. A user accesses what they believe to be a legitimate web server through a web browser.
2. Unbeknownst to the user, the web server they are accessing hasbeen hacked and the server responds with what they requested and someadditional IFRAME code embedded within the HTML source.
3. Once the user’s browser receives the tainted HTML code, theIFRAME code causes the browser to make an additional request to anotherURL; in this case it makes a request to an intermediate server.
4. The intermediate server redirects the request to the final target server, which is the one hosting the MPack server.
5. The MPack server analyses the HTTP request header received fromthe user’s browser. Standard HTTP request headers contain informationabout the browser type and operating system used as well as otherinformation. Once the MPack server determines what browser andoperating system are used, it uses the information to select whichexploits it will send to the user’s browser to try and exploit it. Theserver may try as many exploits as it has available or the targetedcomputer is compromised. Data is stored by the MPack server about theuser’s computer, what exploits were used and successful, as well as theuser's country of origin.
6. Once the user’s computer is compromised, the shell code directsthe computer to download an additional file from the MPack server.
7. The MPack server responds with the requested file (file.exe orfile.php). This is executed by the compromised computer and causes itto download further files from other sources.
Since the creators of the MPack server are in the business of makingmoney out of their creation, they understand how business owners (theircustomers) like to have a management console where they can control andmonitor the state of their “business”. To address this need, they havecreated a handy metrics and control console page to allow the owner ofthe attack server to view how the server is getting on.
The owner of the page can access and view this console by using aURL with a username and password combination. The page contains detailsof how many different computers were attacked, how many attacks weresuccessful, with what type of exploit and what browser or operatingsystem. As you can see in the example below, a total of 10222 uniquecomputers were compromised by this single server, which is asignificant population of computers with which the owners of this MPackserver can put to use in generating cash.
Also in the metrics page, we can see a breakdown of the visitors tothe MPack server organised according to the country of origin. As youcan see, a large proportion of the visitors are of Russian origin. The image below represents an extract of the full country listing.
The ongoing development of this MPack kit (currently at version 0.86)serves to underline the fact that the criminals are taking fulladvantage of the online world to generate their ill-gotten gains. There’s low risk of detection and capture, and even lower risk ofphysical danger in carrying out cyber crime. As one of the members ofthe Fujacks gang once boasted “This is a better money making industrythan real estate.” No wonder new attack kits and updates to existingones keep cropping up.
Web users would be well advised to keep their software and operatingsystems up to date with latest vendor patches and updates; and alsofollow the standard security best practices. Users of Symantec securitysoftware will be glad to know that we already detect the malicious webpages as Trojan.Mpkit!html. The downloader component is detected asDownloader.