June 21, 2007
http://weblog.infoworld.com/zeroday/archives/2007/06/nasty_malware_t.html
Security researchers at VeriSign are tracking the emergence of a dangerous malware development kit being sold on the Russian underground that is being used to level many different types of threats at unprotected computers.
Dubbed MPack, the kit -- which is trading hands for roughly $1,000 -- is empowering stealthy malware attacks on Web browser vulnerabilities, and claiming roughly a 50 percent success rate, according to Ken Dunham, senior engineer and director of the Rapid Response Team in VeriSign's iDefense security unit.
Dunham said in an e-mail that MPack is using multiple exploits "in a very controlled manner" to infect vulnerable computers.
Among the specific exploits that the MPack kit is using to assault end user machines are those that attack the Windows animated cursor (ANI) flaw, WinZip ActiveX overflow problem, and issues in QuickTime multimedia framework -- which was originally authored by Apple. The malware package is also being used to assault a range of additional security vulnerabilities already identified and patched by Microsoft.
Dunham said that VeriSign has observed the MPack kit being sold by an individual operating on the Russian malware scene known as "$ash" who has also been offering a so-called "loader" version of the code -- used to deliver executable files -- for $300. In his marketing materials, $ash is claiming that attacks using the kit are 45-50 percent successful.
VeriSign reports that threats derived from MPack -- which has also been coined by researchers as WebAttacker II -- date back as far as Oct. 2006 and have accounted for as much as 10 percent of all recent Web-based exploits.
The company contends that over 10,000 Web domains were utilized for referral in a recent MPack attack that was aimed largely at users in Italy and affected as many as 80,000 unique IP addresses.
"It is likely that cPanel exploitation took place on host provider leading to injected iFrames on domains hosted on the server," Dunham writes. "When a legitimate page with a hostile iFrame is loaded the tool silently redirects the victim in an iFrame to an exploit page crafted by MPack. This exploit page, in a very controlled manner, executes exploits until exploitation is successful, and then installs malicious code of the attacker's choice."
The VeriSign security researcher said that MPack attacks have indeed been very successful, according to the log files the company has reviewed. The threats recently victimized over 2,000 new machines in a period of only several hours according to its analysis of a command and control (CNC) Web site associated with the threats, Dunham said.
MPack uses a CNC Web site interface for reporting of MPack success back to hackers, the researcher said.
One of the payloads being served up in MPack-driven attacks is the Torpig spyware program. VeriSign associates that threat with a hacker group known as the Russian Business Network (RBN), which Dunham labeled as "one of the most notorious criminal groups on the Internet today."
The company has observed MPack attacks installing Torpig malware code that was hosted on what it has identified as an RBN-controlled server.
"RBN is closely tied to multiple attacks including Step57.info cPanel exploitation, VML, phishing, child pornography, Torpig, Rustock, and many other criminal attacks to date," Dunham writes. "Nothing good ever comes out of the Russian Business Network net block."
Based out of Saint Petersburg, Russia, the researcher said that RBN represents "a virtual safe house for attacks," and indicated that the group is also responsible for distribution of phishing attacks and child pornography.
