Mpack packs punch in Italy

Posted by   Virus Bulletin on   Jun 19, 2007

10,000 sites carrying exploits in large-scale attack.

Sophisticated remote-exploit attack kit 'Mpack' has been spotted in use in increasingly large numbers throughout Europe, with Italy by far the most seriously affected, in an attack of almost unprecedented scale and virulence. First spotted over the weekend, the number of compromised sites carrying the malicious attacks has risen, according to several reports, to over 10,000 sites worldwide, with the vast majority based in Italy.

The Mpack toolkit, which has been available on the black market for some time, is thought to be in constant development by its Russian creators, with new exploits added as new vulnerabilities are uncovered. The core functionality uses hidden iframes which, when placed on a hacked website, exploit known flaws in operating systems, browsers and other components to allow silent downloads of infected code to vulnerable victim systems. The kit also includes statistical monitoring tools and utilities for designing and creating downloader trojans to target the malware of the user's choice.

'Italy has some history as a playground for highly evolved online threats,' said John Hawes, Technical Consultant at Virus Bulletin. 'Gromozon, a.k.a. Linkoptimizer, which has flared up several times in the last year or so and used similarly complex webs of infection patterns and cross-communications, was also particularly prevalent in Italy. Whatever the reason for this may be, it seems like Italian web users should pay particular attention to the security of their systems, with thorough regimes of patching and solid, multi-layer security software being a necessity in these worrying times.'

Alerts on the outbreak can be found here (from Trend Micro, here (from Symantec) and here (from Websense), while more detailed analysis of Mpack is in a Symantec blog entry here or an in-depth report from PandaLabs here

Posted on 19 June 2007 by Virus Bulletin

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

Didn't come to VB2017? Tell us why!

Virus Bulletin is a company - and a conference - with a mission: to further the research in and facilitate the fight against digital threats. To help us in this mission, we want to hear from those who didn't come to Madrid. What is your impression of…

Montreal will host VB2018

Last week, we announced the full details of VB2018, which will take place 3-5 October 2018 at the Fairmont The Queen Elizabeth hotel in Montreal, Quebec, Canada.

VB2017 preview: Beyond lexical and PDNS (guest blog)

In a special guest blog post, VB2017 Silver sponsor Cisco Umbrella writes about a paper that researchers Dhia Mahjoub and David Rodriguez will present at the conference this Friday.

Avast to present technical details of CCleaner hack at VB2017

The recently discovered malicious CCleaner version has become one of the biggest security stories of 2017. Two researchers from Avast, the company that had recently acquired CCleaner developer Piriform, will share the results of their investigations…

VB2017 preview: Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

We preview the VB2017 paper by Kaspersky Lab researchers Juan Andrés Guerrero-Saade and Costin Raiu on fourth-party collection and its implications for attack attribution.