Network News

X My Profile
View More Activity

Mpack Exploit Tool Slips through Security Holes

Researchers have been charting the rise in threats created by a new software exploit tool known as "Mpack," a virtual attack kit designed to be embedded in hacked or malicious Web sites. It targets security holes in multiple software products, including Apple's QuickTime media player, and outdated Windows plug-ins for Mozilla's Firefox and Opera Web browsers.

Security Fix constantly nags readers to apply software security updates. And I badger you about patches for Microsoft Windows machines and for fixes for applications designed to run on top of operating systems. This new attack being closely tracked by security researchers serves as a chilling reminder of how important it is to secure these third-party applications.

The tool has been spotted on more than 10,000 Web sites, according to Internet security firm Websense. Users who visit one of these sites without the protection afforded by the latest patches for those programs may be hit with a silent download that tries to steal financial and personal data from the victim's machine.

Many of the sites hosting the malicious program are legitimate sites that have been hacked. Security vendor TrendMicro says it has identified more than 1,100 legitimate sites that are serving up the exploit code. TrendMicro reports that initially, the primary targets were English-language Italian sites, but that attackers increasingly are targeting sites in the United States and elsewhere.

Mpack is another one of these toolkits enabling the attackers to manipulate infected machines through a spiffy, Web-based interface. Some other facts about Mpack illustrate just how brazen and organized the e-crime software business has become. According to detailed analysis by researchers at anti-virus maker Panda Software, the toolkit is being sold on Russian e-crime forums for roughly $700, includes a year's worth of free software support, and is guaranteed to bypass all anti-virus programs at the time of purchase. Extra exploit modules can be purchased for prices ranging from $50 to $150.

By Brian Krebs  |  June 18, 2007; 4:15 PM ET
Categories:  Fraud , Latest Warnings , New Patches , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: PayPal to Roll Out Buyer Vetting Service
Next: Glubble: The Web in a Kid-Friendly Bubble

Comments

Symantec was talking about this attack days ago... why the sudden interest by Trend, Websense, et al?

http://www.symantec.com/enterprise/security_response/weblog/2007/06/italy_under_attack_mpack_gang.html

Posted by: Hmmm... | June 18, 2007 6:38 PM | Report abuse

Does anyone know the primary attack method for placing the MPack iframe on legitimate sites? I assume cross-site scripting, but if it is something else, it would help if someone mentioned it so site managers know what to look for.

Posted by: Matt | June 19, 2007 9:28 AM | Report abuse

Matt -- I will ask. But for now I'm putting my money on file-inclusion attacks, via insecure .asp and .php pages/scripts.

Posted by: Bk | June 19, 2007 10:46 AM | Report abuse

If the user is not running as an adminstrator level, but has restricted privileges (as advised in previous columns), is this exploit still a threat?

Posted by: Bob | June 19, 2007 11:30 AM | Report abuse

@Bob

Running as a non-admin will provide some level of protection as many exploits are written with the assumption the user is an administrator. That may change over time though with the introduction of Windows Vista.

The key is a layered defense (defense in depth). Not only run as a non-admin for daily use, but as the article states, ensure ALL software is fully patched. Other layers include a firewall (preferably a hardware firewall at the perimeter and a software firewall on each computer), good antivirus software that is configured to update itself DAILY, and practice safe computing (ex. use caution with e-mail attachments, don't click on links in e-mail, browse wisely, etc.) Also, don't forget to backup your data to external media (CD-R, DVD-R, external hard drive, etc.) in the event of a hardware failure or severe system compromise.

The bad guys have their tools, but we do too. Don't be afraid to learn and use them!

Posted by: TJ | June 19, 2007 11:28 PM | Report abuse

Mac OS-X, Linux, FreeBSD, and OpenBSD are all immune to this.

Posted by: hhhobbit | June 21, 2007 4:45 AM | Report abuse

There is one more level to secure windows. It is called process gurd and automaticaly deny unkown proces, an award winning software.
Also a powerfull ids called system safety monitor. These wto combine with anti-vrus and firewall makes you almost unbreakble

Posted by: xaralampos C | June 21, 2007 5:14 AM | Report abuse

FYI...

- http://isc.sans.org/diary.html?storyid=3015
Last Updated: 2007-06-20 21:42:28 UTC ~ "...Earlier today VeriSign/iDefense released some pretty good analysis of how it works...
'...Exploits range from the recent animated cursor (ANI) to QuickTime exploitation. The latest version of mPack, .90, includes the following exploits:
MS06-014
MS06-006
MS06-044
MS06-071
MS06-057
WinZip ActiveX overflow
QuickTime overflow
MS07-017...' "

(Complete analysis at the URL above.)

.

Posted by: J. Warren | June 21, 2007 7:47 AM | Report abuse

Certain early versions of WinZIP 10 are affected, but not 9 or 11. Quicktime 7 players with a version number less that 7.1.3.191 are affected. Please the Microsoft OS vulnerabilities listed above. What can you do about it? You need to be vigilant about keeping not just the OS and Office/Outlook patched, but also all media players, readers, and other system add-ons. If you need help packing up these fixes for your company, then the folks at sharpebusinesssolutions.com can help you out. They even have a fully automated way to upgrade Symantec Antivirus agents to the latest version for both workstations and servers.

Posted by: SysAdmin | July 3, 2007 11:16 AM | Report abuse

Certain early versions of WinZIP 10 are affected, but not 9 or 11. Quicktime 7 players with a version number less that 7.1.3.191 are affected. Please the Microsoft OS vulnerabilities listed above. What can you do about it? You need to be vigilant about keeping not just the OS and Office/Outlook patched, but also all media players, readers, and other system add-ons. If you need help packaging up these fixes for an automated software deployment across company, then the folks at sharpebusinesssolutions.com can help you out. They even have a fully automated way to upgrade Symantec Antivirus agents to the latest version for both workstations and servers.

Posted by: SysAdmin | July 3, 2007 11:18 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company