MPack Analysis

Published: 2007-06-20
Last Updated: 2007-06-20 21:42:28 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

We mentioned a large MPack compromise in a diary two days ago.  Since then we've been accumulating more information about what is going on behind the scenes.  Earlier today VeriSign/iDefense released some pretty good analysis of how it works, what the value of it is, and other goodies.  This summary does not exist online but has been spread via email to the media and other outlets.  Rather than trying to summarize it, iDefense gave the Internet Storm Center permission to reprint it in its entirety.  Thanks, iDefense!

Greetings All,

MPack is the latest and greatest tool for sale on the Russian Underground.  $ash sells MPack for around $500-1,000. In a recent posting $ash attempted to sell a "loader" for $300 and a kit for $1,000. The author claims that attacks are 45-50 percent successful, including the animated cursor exploit and many others, including ANI overflow, MS06-014, MS06-006, MS06-044, XML Overflow, WebViewFolderIcon Overflow, WinZip ActiveX Overflow, QuickTime Overflow (all these are $ash names for exploits). Attacks from MPack , aka WebAttacker II, date back to October 2006 and account for roughly 10 percent of web based exploitation today according to one public source.

More than 10,000 referral domains exist in a recent MPack attack, largely successful MPack attack in Italy, compromising at least 80,000 unique IP addresses. It is likely that cPanel exploitation took place on host provider leading to injected iFrames on domains hosted on the server. When a legitimate page with a hostile iFrame is loaded the tool silently redirects the victim in an iFrame to an exploit page crafted by MPack. This exploit page, in a very controlled manner, executes exploits until exploitation is successful, and then installs malicious code of the attacker's choice.

Torpig is one of the known payloads for MPack attacks to date. This code relates back to the Russian Business Network (RBN), through which many Internet-based attacks take place today. The RBN is a virtual safe house for attacks out of Saint Petersburg, Russia, responsible for Torpig and other malicious code attacks, phishing attacks, child pornography and other illicit operations. The Italian hosts responsible for most of the domains seen in a recent MPack attack are using cPanel, a Web administration tool for clients.  A zero-day cPanel attack took place in the fall of 2006 leading up to the large scale vector mark-up language (VML) attacks at that time.  It appears likely that the Russian authors of the cPanel exploit,, who are also related to the RBN used the exploit to compromise the Italian ISP and referral domains used in the latest mPack attack.

MPack uses a command and control website interface for reporting of MPack success. A JPEG screenshot of a recent attack is attached to this message.


1.  MPack is a powerful Web exploitation tool that claims about 50 percent success in attacks silently launched against Web browsers.

2. $ash is the primary Russian actor attempting to sell mPack on the underground, for about $1,000 for the complete MPack kit.

3. MPack leverages multiple exploits, in a very controlled manner, to compromise vulnerable computers. Exploits range from the recent animated cursor (ANI) to QuickTime exploitation.  The latest version of mPack, .90, includes the following exploits: 

          WinZip ActiveX overflow
          QuickTime overflow

4. The Russian Business Network (RBN) is one of the most notorious criminal groups on the Internet today.  A recent MPack attack installed Torpig malicious code hosted on an RBN server.  RBN is closely tied to multiple attacks including cPanel exploitation, VML, phishing, child pornography, Torpig, Rustock, and many other criminal attacks to date.  Nothing good ever comes out of the Russian Business Network net block.

5. MPack attacks experience high success, according to attack log files analyzed by VeriSign-iDefense.  In just a few hours more than 2,000 new victims reported to an MPack command and control website.  A recent attack, largely focused in the area of Italy, involved more than 80,000 unique IPs.

Ken Dunham
Senior Engineer
Director of the Rapid Response Team

Marcus H. Sachs
Director, SANS Internet Storm Center


0 comment(s)

Pump and dump scams now in PDF

Published: 2007-06-20
Last Updated: 2007-06-20 21:33:39 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Apparently the groups behind what we know as pump and dump spam have found a new way to bypass spam filters. As of yesterday, we’ve been observing e-mails with bogus text, often in german, each with a PDF in attachment.
These PDFs purport to be stock information, and are usually titled ‘German Stock Insider’. They contain much more detail on stock than we’re used to from previous dump and pump scams and include images for added realism. They even contain the following disclaimer:
“This is not an offer to buy or sell any security. German Stock Insider discloses that they were paid ten thousand Euros for distribution of this report.”
The messages are usually sent to name@domain with an attachment name of name_report.pdf. Apparently they are distributed most to .com and .org domains, though most of the reports we’ve received were from Europe. Each of the reports so far has had an MD5 hash of 2e4b2158909f276942dadf6a0b621b1a. Thanks to Günter for reporting his findings.  
0 comment(s)

Other miscellaneous stuff I've come across recently

Published: 2007-06-20
Last Updated: 2007-06-20 21:09:03 UTC
by Jim Clausing (Version: 1)
0 comment(s)


Complexity is bad for security


I've mentioned before that I read Spaf's blog.  He doesn't post too often, but he had a story last week that really resonated with me (and he referenced the story where the Mac+ beat a new AMD machine running XP in 53% of the tests they ran).  I started programming on machines where 256KB was a lot of RAM and 256MB was a lot of whole lot of disk (yes, I have been doing this a while).  Everyone likes all their new features, but that has resulted in bloated unmaintainable code and the size and complexity has a cost in security.


Honeypot-type fake service scripts/tools

Also, these fake SMB tools have been out a couple of months, but I missed them until they were mentioned this morning on the Darknet blog.  These are useful additions to the tools I run in my malware analysis environment to spoof other services.  Also, on the French Honeynet Project tools page are fake SNMP tools that I'll have to take a look at too.  Does anyone have a good compilation of these tools?  Let me know via the contact page and I'll summarize the results next week.


0 comment(s)

Apple TV security update

Published: 2007-06-20
Last Updated: 2007-06-20 15:36:31 UTC
by Jim Clausing (Version: 1)
0 comment(s)

Apple has released a bulletin and update to their Apple TV  software which fixes a buffer overflow (with possible remote code execution) in its UPnP IGD code (CVE-2007-2386, this is related to recent Mac OS X updates).  The devices should automatically install the update when it does its weekly check for updates.

0 comment(s)
Diary Archives