Hacker Economics 3: MPACK and the Next Wave of Malware

Third in a series. New variants and new methods proliferate in the wake of 76service.

1 2 3 Page 3
Page 3 of 3

June: Disturbing Developments

By mid-June, Gozi was practically forgotten, and the new thing was MPACK. This one even had some veteran researchers muttering pesdato!

A typical Trojan like Gozi might rely on one exploit to try and open up a connection with the target PC. MPACK, on the other hand, is a briefcase full of exploits, a dozen or more of them. Mostly they’re old exploits, but the idea is that if you try 15 different lock picks, one is bound to get you in. What’s more, MPACK then reports back to its server which exploits worked where and stores that information in a database, an intelligence function used to effectively pack the briefcases with the most successful lock picks. The practice seems to have vastly increased the successful infection rate of PCs that visit sites delivering MPACK.

MPACK is actually sold with malware such that once the briefcase of exploits gets access, a Trojan—often Torpig—will be delivered to the PC. Other Trojans, like Apophis (which steals digital certificates) and even the old Nuclear Grabber that Corpse was hocking more than a year ago are also available in conjunction with MPACK. It costs hundreds to thousands of dollars.

Researchers still trying to penetrate this service say that MPACK is being sold by sash, likely the same as “sash” who posted news of Corpse’s semi-retirement on the Pinch3.net discussion board. (Sash sells Pinch, too). Sash in turn seems to be working with Step57, a group likely run by 57, the HangUp Team coder who Jackson had found who posted the news of 76service’s demise. All of these players have connections to the Russian Business Network, according to several researchers, including Jackson.

MPACK’s multiple-exploit technique was used before in an exploit called WebAttacker. But MPACK is more effective because of iFrames. Disturbingly, the iFramers seem to have come up with some automated exploit kit capable infecting a massive number of Web pages with illicit iFrames in a short period of time, “like a machine gun spraying holes in sites” says Lance James. The first round of iFrame injections created to deliver MPACK showed up, literally, overnight—more than 10,000 pages were infected, mostly on Italian sites. Since then the process has repeated itself, moving country to country. Thousands of infections all at once.

Researchers are still trying to understand what allows the deployment of so many iFrames so quickly. Mostly they’re reporting on rumors and theories. Using a virtual host to infect many sites is one working theory. But no one knows yet for sure how it’s done. What they do know is iFraming is officially pandemic. “The iFramers are making a killing,” Jackson says. “They don’t get their hands dirty with the actual malware. They just break into a server with scripts. It’s a good business to be in right now.”

Next: The evolution of malware continues.

Fraud 4ever

“The thing about MPACK,” says James, “this is the start of the whole thing.” By this he seems to mean that Golden Age of Internet Crime, that dawning era. “They’re starting to think like architects instead of engineers.” MPACK brings together the best iFrames, the best exploits and some state-of-the-art malware into a single package all of which is being improved constantly, and sold with a focus on customer service. In marketing parlance, it’s not a product, it’s a solution.

Special Report: The Hacking Economy

Hacker Economics 1: Malware as a Service

Hacker Economics 2: The Conspiracy of Apathy

Hacker Economics 3: The Next Wave of Malware

Key Malware Terms

A Trojan's First Second

Death by iFrame

Inside a Hacker's Site: Screenshots

Business is good. Internet criminals operate with de facto immunity. The pool of vulnerable computers to exploit remains massive. The target financial institutions still treat their crime as acceptable loss. Law enforcement is otherwise occupied. And technical defenses are mere market conditions to adapt to. For example, when some clever banks came up with a way to beat keylogging by having users use “virtual keyboards” on the screen, criminal hackers just developed Briz, code that captures the pixels around the cursor, the pictures of the characters being typed. Problem solved.

The criminals innovate. Some tactics will make the hair on your neck prickle. Rumors persist of a nasty Brazilian banking Trojan that can change banking account numbers, routing numbers, balance, and payment/transfer values by injecting HTML or even whole, cloned HTTP requests into an online banking session on the fly, such that the person banking would see false information that reflected their intentions and not the actual transfer. Chris Rouland of IBM has seen similar functionality in a bot called Grams.

Prg, another form-grabbing Trojan discovered last October, makes researchers awfully nervous. New variants emerge every couple of months and managed to steal tens of GB of data before being detected. Its encryption is strong and well-designed, its ability to hide itself with anti-forensics deft.

In June, Don Jackson found a new Prg variant. It shipped with a development kit which allows anyone who buys it to adapt the code on the fly in order to evade anti-virus and anti-spyware. On the server where he found it, he also found a staging area where new variants were already developed and waiting to be released as soon as the defenses recognized and blocked the current variant. He also found a couple of drops for two different groups who had bought Prg and distributed it through both iFrames and some good old-fashioned “click-on-this-link” emails. The drops comprised 10,000 account credentials, including second factors of authentication and answers to those security check questions like your mother’s maiden name meant to layer extra security into the online banking process.

“There’s a consumer side of me that says, Be cautious but life must go on. Someone somehow will take care of this,” says Christopher Hoff. “And the security side of me wants to curl up in the fetal position and not go out.”

After Jackson discovered the Prg variant, he learned of two more Gozi variants found in the wild. The EXE inside these versions is called 76.exe, and is probably the product of 76’s reunion with the HangUp Team. It’s pesdato! It has vastly improved its server network and obfuscation techniques. It bounces traffic from country to country. It hides its drops well. In fact, Jackson’s not sure what it even connects to. He’s looking for the front end, the next 76service. He knows it’s out there. But so far he can’t find it.

This story, "Hacker Economics 3: MPACK and the Next Wave of Malware" was originally published by CSO.


Copyright © 2007 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
Discover what your peers are reading. Sign up for our FREE email newsletters today!