MPack, the Italian Job

More and more attention has been given to MPack as its pervasiveness spreads in both the news media and as the cause of a growing number of compromised systems.

MPack has been dubbed The Italian Job due to the vast number of compromised systems in Italy, but has begun to surface in other parts of the world. MPack is a framework similar to that of Metasploit or Webattacker. This framework is used to exploit remote systems by taking advantage of known vulnerabilities that have yet to be addressed by the vendors or the end users. MPack was developed by a group of Russian's programmers calling themselves the "Dream Coder Team". The first documented release was back in December of 2006. This framework or kit is available for sale for as much as $700 to $1000, including support. Exploit updates are not included in the base price and fetch $50 to $150 per new exploit.

MPack Method of Operation

The Mpack framework was written in PHP, and has an accompanying MYSQL database. The database is used to store data about the victims machine. The method of infection is as follows. First a malicious web server needs to be in place. This can occur through either hacking of a web server currently online or setting up a new web server. A new web server will need to draw traffic; this can be accomplished by using several techniques, including typo squatting (registering hostname similar to legitimate website and targeting users who mistyped their intended URL), placement of malicious URL in SPAM, use of IFRAME redirection embedding in the HTML page of a compromised 3rd party web server, or by purchasing advertising space through Google or other advertising related websites. Infection commonly involves a user visiting a malicious website hosting an index.php file that will be loaded in the victims web browser. At this point, the MPack server will begin to collect metadata about the victims system, such as IP address, operating system, browser type, and the geographical location (based on IP address).

At this point, the MPack framework comes into play. An arsenal of exploits is directed at the target system until a successful compromise occurs. Note that new exploits can be loaded into the MPack framework at any time . MPack has exploits for many different browsers including Microsoft Explorer, Firefox, Netscape, Konqueror and Opera, and targets a variety of operating systems, including Windows, Linux, FreeBSD and MAC. After the victim system is compromised, the MPack server will push a file called file.PHP or file.exe, which will be executed on the victim's system, and cause the system to download other files from various locations. These files are the system malware or payload.

Next, various malware files may be executed on the system, including keyloggers, backdoors, internal proxies, and programs that change system configuration to establish external web based proxies that allow the attacker to monitor all of the users traffic.

The best defense against MPack is to ensure that all of your systems have the latest vendor patches. Do not fall prey to social engineering by clicking on URL links that appear in unsolicited emails. Pay particular attention, when manually typing URLs into your browser address box, that you type the correct URL. For those who manage web severs, ensure that your web servers have the latest patches installed.