MPack: how to infect thousands of websites
We’ve been wondering for a few months now how malware mafias can hack so many web sites automatically to be exploited by MPack. Yesterday a few theories came to light, such as hinting that all the hacked servers all belong to the same virtual hosting server or the use of a ‘IFRAME Manager tool’. We’re familiar with this tool since about 4 months. It’s real name is ‘FTP-Toolz pack’ and it is being sold for $25. Here you can see a capture from a Russian forum where it was advertised for sale:
And the tool itself:
Even though we are still wondering how they gain access to those servers, it seems that they make use of tools such as the ones mentioned and feed them a list of usernames and passwords, probably stolen by the same Trojans and keyloggers they have previously gathered or purchased. But… how to work with all that mess? I mean, they can have hundreds of thousands of ftp addresses with usernames and passwords, but they don’t know which ones are working, which ones have write access, etc.
Then we run into yet another tool, this time a PHP script that validates ftp accounts. The hacker loads the stolen account lists in a file called acc.txt, and by means of the script (ftp_check.php) he gets dumped the valid ones into a file called valid.txt.
So he can use that information with any of the previous programs: FTP-Toolz pack, RooT [iFrame] or FTPCheckIframe and automatically infect hundreds of thousands of web pages with the MPack IFRAME.
More about Mpack
In the last hours, many things have been said about the MPack massive infection with more than 10.000 affected websites. For more information, visit the Websense site http://www.websense.com/securitylabs/alerts/alert.php?AlertID=782 .
Although the data is astonishing, we are not very much surprised, as we carried out a small study about MPack, and in 2 months (April & May 2007) we discovered 41 different servers, and the statistics were frightening: more than 1 million users infected (1217741), and the iframe code was present in 366717 web pages.
We don’t think that those 366717 websites had been hacked and infected manually one by one.
Although we haven’t already found it, it seems that they are provided with a program that looks for vulnerable web servers, where it accesses the main file that loads the web page and adds an iframe reference to Mpack, so that the users who visit these websites are infected too.
The version 0.90 of Mpack has recently come out. Among the last changes of this version, there are the following:
- The capability to infect only in certain countries.
- The stats.php has been replaced by the admin.php. Now not only a password is required but also a username. As a result, it is much safer.
- Update in the encryption module. This way, the exploits it uses are more difficult to detect.
- And several small changes in the interface, bugs correction, etc.
- Its price has increased from $700 to $1000.
Up to the moment, we have located 4 active servers with this new version.
Think you might be infected?
Install a personal firewall like the Panda Antivirus + Firewall 2007 – $10 Discount Coupon to stop uninvited users from accessing your computer. A firewall blocks unauthorized access to your computer and will alert you if spyware already on your computer is sending information out. If you think your computer might have spyware on it, [...]
Free Scan – See what nasties are hiding in your computer!
Botnet controller via web
Today, when I was tracking the server to which a variant of Trj/LdPinch sends information, I have come across, among the files in the server, some .php files that are used to control a botnet via web.
The image below would be the initial screen from which the infected systems can be viewed for geographical area:
And the option “Botnet controller†allows different actions to be carried out in the affected systems:
