Mpack packs punch in Italy

Posted by   Virus Bulletin on   Jun 19, 2007

10,000 sites carrying exploits in large-scale attack.

Sophisticated remote-exploit attack kit 'Mpack' has been spotted in use in increasingly large numbers throughout Europe, with Italy by far the most seriously affected, in an attack of almost unprecedented scale and virulence. First spotted over the weekend, the number of compromised sites carrying the malicious attacks has risen, according to several reports, to over 10,000 sites worldwide, with the vast majority based in Italy.

The Mpack toolkit, which has been available on the black market for some time, is thought to be in constant development by its Russian creators, with new exploits added as new vulnerabilities are uncovered. The core functionality uses hidden iframes which, when placed on a hacked website, exploit known flaws in operating systems, browsers and other components to allow silent downloads of infected code to vulnerable victim systems. The kit also includes statistical monitoring tools and utilities for designing and creating downloader trojans to target the malware of the user's choice.

'Italy has some history as a playground for highly evolved online threats,' said John Hawes, Technical Consultant at Virus Bulletin. 'Gromozon, a.k.a. Linkoptimizer, which has flared up several times in the last year or so and used similarly complex webs of infection patterns and cross-communications, was also particularly prevalent in Italy. Whatever the reason for this may be, it seems like Italian web users should pay particular attention to the security of their systems, with thorough regimes of patching and solid, multi-layer security software being a necessity in these worrying times.'

Alerts on the outbreak can be found here (from Trend Micro, here (from Symantec) and here (from Websense), while more detailed analysis of Mpack is in a Symantec blog entry here or an in-depth report from PandaLabs here

Posted on 19 June 2007 by Virus Bulletin

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

New article: Dissecting the design and vulnerabilities in AZORult C&C panels

In a new article, Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.