June: Disturbing Developments
By mid-June, Gozi was practically forgotten, and the new thing was MPACK. This one even had some veteran researchers muttering pesdato!

A typical Trojan like Gozi might rely on one exploit to try and open up a connection with the target PC. MPACK, on the other hand, is a briefcase full of exploits, a dozen or more of them. Mostly they’re old exploits, but the idea is that if you try 15 different lock picks, one is bound to get you in. What’s more, MPACK then reports back to its server which exploits worked where and stores that information in a database, an intelligence function used to effectively pack the briefcases with the most successful lock picks. The practice seems to have vastly increased the successful infection rate of PCs that visit sites delivering MPACK.

MPACK is actually sold with malware such that once the briefcase of exploits gets access, a Trojan—often Torpig—will be delivered to the PC. Other Trojans, like Apophis (which steals digital certificates) and even the old Nuclear Grabber that Corpse was hocking more than a year ago are also available in conjunction with MPACK. It costs hundreds to thousands of dollars.

Researchers still trying to penetrate this service say that MPACK is being sold by sash, likely the same as “sash” who posted news of Corpse’s semi-retirement on the Pinch3.net discussion board. (Sash sells Pinch, too). Sash in turn seems to be working with Step57, a group likely run by 57, the HangUp Team coder who Jackson had found who posted the news of 76service’s demise. All of these players have connections to the Russian Business Network, according to several researchers, including Jackson.

MPACK’s multiple-exploit technique was used before in an exploit called WebAttacker. But MPACK is more effective because of iFrames. Disturbingly, the iFramers seem to have come up with some automated exploit kit capable infecting a massive number of Web pages with illicit iFrames in a short period of time, “like a machine gun spraying holes in sites” says Lance James. The first round of iFrame injections created to deliver MPACK showed up, literally, overnight—more than 10,000 pages were infected, mostly on Italian sites. Since then the process has repeated itself, moving country to country. Thousands of infections all at once.

Researchers are still trying to understand what allows the deployment of so many iFrames so quickly. Mostly they’re reporting on rumors and theories. Using a virtual host to infect many sites is one working theory. But no one knows yet for sure how it’s done. What they do know is iFraming is officially pandemic. “The iFramers are making a killing,” Jackson says. “They don’t get their hands dirty with the actual malware. They just break into a server with scripts. It’s a good business to be in right now.”

Next: The evolution of malware continues.