This malware is yet another malware distribution and attack kit in the same vein as other kits, such as WebAttacker. This kit, called MPack, is a professionally written collection of PHP software components designed to be hosted and run from a PHP server with a database backend. It is sold by a Russian gang and comes ready to install on a PHP server, and it also comes complete with a collection of exploit modules to be used out of the box.
How it infects computers
Once the server is installed and running, all the owner has to do is to start generating some web browser traffic to it. They can do this by various means including:
• Hacking into popular web sites and adding IFRAME snippets to its web pages.
• Setting up typo-squatting web sites on popular domains to trap accidental visitors.
• Spamming out emails with the IFRAME code embedded.
Typical Attack Scenario
In a typical attack scenario, a user enters in the URL of a legitimate web site into their browser. Unknown to the user, the web site they are visiting has been hacked into and the web pages tainted with malicious content.
1. A user accesses what they believe to be a legitimate web server through a web browser.
2. Unbeknownst to the user, the web server they are accessing has been hacked and the server responds with what they requested and some additional IFRAME code embedded within the HTML source.
3. Once the user’s browser receives the tainted HTML code, the IFRAME code causes the browser to make an additional request to another URL; in this case it makes a request to an intermediate server.
4. The intermediate server redirects the request to the final target server, which is the one hosting the MPack server.
5. The MPack server analyses the HTTP request header received from the user’s browser. Standard HTTP request headers contain information about the browser type and operating system used as well as other information. Once the MPack server determines what browser and operating system are used, it uses the information to select which exploits it will send to the user’s browser to try and exploit it. The server may try as many exploits as it has available or the targeted computer is compromised. Data is stored by the MPack server about the user’s computer, what exploits were used and successful, as well as the user's country of origin.
6. Once the user’s computer is compromised, the shell code directs the computer to download an additional file from the MPack server.
7. The MPack server responds with the requested file (file.exe or file.php). This is executed by the compromised computer and causes it to download further files from other sources.
This post was quoted from Symantec. It is currently causing headaches on our servers.
