Malware Building Toolkit Aids in Launching Attacks

A dangerous kit to develop malware is being sold on the underground market in Russia. Criminals are using the kit to match various kinds of threats to unprotected PCs. Security researchers at VeriSign are trying to find the course of the rise and prevalence of the kit.

The kit is called 'MPack' and it sells for approximately $1,000. It aids in treacherous malware attacks by exploiting web browser loopholes. It claims success rate in about 50% of the attacks, as per Ken Dunham, SE (Senior Engineer) & director with the Rapid-Response-Team in VeriSign's iDefense security division.

MPack, also called WebAttacker II, originated in October 2006 when it was used in nearly 10% of attacks on the Web. As per iDefense, in the latest emergence of MPack assasults, about 10,000 domains accessed almost 80,000 separate IP addresses in Southern Europe in Italy.

Dunham said via e-mail that MPack performs several exploits "in a strictly controlled manner" to spread infection on vulnerable PCs. MPack generates the notorious Torpig Trojan as one of the important payloads, reported VeriSign. Torpig closely relates to the RBN (Russian Business Network), which is being used as the current medium for various web-based assaults.

The RBN is virtually a safe haven for cyber criminals to shoot attacks from St. Petersburg, Russia. Usually these attacks range from phishing to child pornography to other illegal operations, noted Dunham, and Top Tech News published it on June 22, 2007.

To launch attacks on end users' machines, MPack kit uses the specific exploits attacking the Windows animated cursor (ANI) flaw, or WinZip ActiveX overflow vulnerability or vulnerabilities in QuickTime multimedia framework.

It is possible that cPanel exploitation occurred on host provider resulting in iFrame injections on the server's domains. On downloading a legitimate web page with an unfriendly iFrame, the tool takes the victim via the iFrame to an MPack-crafted page. This page runs exploits, installs malicious software, all in a very controlled fashion, wrote Dunham, as reported by Infoworld on June 21, 2007.

MPack reports success of attack to hackers by using a CNC (Command and Control) website interface, said Dunham.

Related article: Malware Authors Turn More Insidious

» SPAMfighter News - 7/5/2007