Multi-Middleman 'Mpack' Attacks Use Google AdWords to Lure Victims
By Scott M. Fulton, III, BetaNews
June 19, 2007, 11:46 AM
One of Russia's fastest growing markets, and quite possibly a contributor to stabilizing that country's fickle economy, is cut-rate, self-deploying Trojan horse packages.
As malware writers there have discovered, rather than baiting and waiting for victims to fall into their traps at random, so that they carry out DoS and identity theft attacks without knowing they're doing so, would-be victims worldwide will gladly pay for the privilege of knowingly carrying out those same attacks.
For a few hundred dollars, maybe less, people who seek the vicarious thrill of serving as tools for fake Russian mobsters are downloading the "Mpack" package. They then install it on their own systems and monitor their screens as a startlingly efficient admin toolkit of sorts charts the flags of various target countries, like a real-time game of "Risk."
As a report from anti-virus company Trend Micro states this morning, the target of choice for Mpack in recent days has been Italy. Many of its higher-profile sites have been targeted in recent days, including media publishers, tourism services, and auto sales sites.
But it may be inaccurate to say that the Russians are directly targeting the Italians, since according to in-depth analyses of Mpack, it's the customers who purchase Mpack from underground Russian servers who decide which Web sites will be the unsuspecting hosts of attacks on their users.
The attacks themselves are not new, though they are surprisingly varied. According to an in-depth report from Panda Software security engineer Vincente Martinez (PDF available here) which stops just short of telling you where you can buy the thing yourself, servers infected with the Mpack downloader can then install Trojan packages on unsuspecting users' computers. The methodology for this distribution is not brute-force; in fact, it appears to try several approaches specifically tailored for the victim's browser - IE7, Firefox, or Opera. (Yes, these are Windows-based attacks.)
A browser pointed to one of many targeted Italian Web sites is tricked by Mpack into downloading malicious JavaScript code, often by way of a well-known exploit: inline code within an invisible <IFRAME> element that redirects the browser to a raw IP address. That address can then use any of multiple methods, including buffer overflow, to upload stealth code through the browser, onto the victim's machine. From there, Panda's engineers reveal, statistics can be gleaned from that machine, and compiled into a format compatible with MySQL.
Those statistics may then be returned to the Mpack customer, who may or may not have any use for them anyway - he might not even know what they mean. Whether a separate report is produced for Mpack's own writers is unknown.
But the Panda report also states that Mpack's writers an extremely unorthodox approach to amplifying the magnitude of their attacks, which customers may perceive as a unique "value-add:" Along with the invisible <IFRAME> element, they inject non-displayed words into the HTML code of sites' front pages - perhaps words that may not have anything to do with the sites' native contexts. Then they use a portion of their income from sales to purchase sponsored links from Google AdWords, matching those words with users' searches to direct them to those sites. (Hypothetical example: "More about Paris Hilton in jail at UsedFerraris.it")
A report from Virus Bulletin this morning estimates the number of Mpack-infected servers worldwide to have risen just over the weekend to over 10,000, with Italy housing the majority. Trend Micro points out that Mpack's writers could conceivably update their Trojan-implanting server (the one to which the <IFRAME> element directs browsers) without actually having to update the software they sell, which could make heuristics for tracking Mpack's behavior even more difficult to construct.
Add a Comment (4 Comments)
BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.