MPack It Up
|
We asked Microsoft to advise customers about the MPack Trojan, which is loose on the Web and spreading. Here it is. |
First, recap: Trend Micro reported that the Trojan had infected as many as 3,000-plus Web sites, as of yesterday. Websense put the number as more than 10,000. Local PC infection can occur from merely visiting one of the affected Web sites.
However, the infection is spreading.
"The majority of these [infection] reports center on Web sites being hosted on servers in Italy, but there are indications that Web sites in Germany, Brazil and Japan may also be impacted," a Microsoft spokesperson explained in an e-mail responding to a Microsoft Watch request.
Microsoft is conducting its own investigation, and, when completed, the company "will take the appropriate action to address this issue."
The company basically offers proactive and reactive guidance.
"Microsoft continues to encourage customers to follow all of the steps of the 'Protect Your PC' guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software," the spokesperson said.
North American customers suspecting infection can obtain free Microsoft security support by calling 1-866-PCSAFETY. The spokesperson also encouraged contacting the FBI.
This Trojan is particularly insidious because what people might consider to be safe Web sites can infect their computers. Victims aren't necessarily visiting bad Internet neighborhoods.
The attack uses iframe, or inline frame, to redirect end-user PCs to an IP address that delivers the malware payload. Isn't iframe oh-so 1990s Web design? I detest inline frames, and MPack is more reason to.
Over at the Symantec Security Response Weblog, Amado Hidalgo asked the obvious question of how the infection spread so quickly. He writes:
"The MPack gang appears to be using an iframe Manager tool to automate the task on a large scale. This is basically an FTP updater client, written in PHP language, that runs on a webserver with MySQL as back-end. It takes as input a list of Website administrator accounts (possibly obtained in the black market). It then periodically checks the home pages of those sites to inject a chosen iframe into their code."
Hidalgo explains that the iframe tool is designed with ease of use for hacking groups in mind. The tool is insidious. He writes:
"To maximize the return-on-investment, the tool can check the Google PageRank for the potential Websites before injecting the iframe, allowing you to select any number of sites with a certain PageRank in a certain country. Furthermore, the tool can be left running and will cycle through the list of sites and re-inject the iframe, should the pages have been cleaned by the site administrator."
Compromised sites must do more than clean up their code, as the iframe tool can automatically make changes later on. The site administrator's credentials must be changed to prevent further compromise.
While waiting for Microsoft's response, Web site designers might want to consider doing away with inline frames. Hey, it's just a suggestion.
Editor's Note: Story updated with corrected number of affected sites.
Comments (12)
Nice article Joe. In case anyone is wondering if Vista is affected;
http://www.crn.com/software/199701019?pgno=2
I quote from that article, xp and vista;
"he MPack tool is used by hackers on PHP sites to pass code to unsuspecting users' PCs. Exploits using the MPack tool became known late last year.
MPack poses a serious threat because the code is typically passed through a malformed home page. When left undetected, hackers can use MPack to pass trojans or just about any code they wish. In addition, two sites were tested that had the Neosploit malware tool, which carries several distinct exploits. Both OSes failed to detect the MPack and Neosploit signatures on all the malicious sites that had it."
Its becoming clearer that M$ Vista most secure OS is a bust. I still dual boot XP and linux these days, but use XP less and less. So far Linux is completely secure on the internet. It may not always be that way, but for now it is.
Thanks again Joe for all the imformative news.
Posted by chips b malroy | June 19, 2007 8:12 PM
I use Opera web browser. Would this be vunerable too or is this an IE vulnerability?
Thanks
Posted by Phil Deets | June 19, 2007 8:23 PM
What should you do about this? For end users, keep your endpoints patched antivirus up-to-date. For Symantec users, there is a good article at sharpebusinesssolutions.com/savce_upgrade.htm describing how to keep SAV agents healthy and under support. For admins of affected web sites, a simple clean-up of the page is not sufficient - your site administrator’s credentials need to be changed. There are easy to use tools available for MPack to use to reinfect your sites even after you have manually cleaned them up. These automated tools are being fed lists of compromised site admin usernames and passwords, so make sure that you put a strong password on your site admin account.
Posted by SysAdmin | June 20, 2007 12:48 AM
These will help you understand
http://vcsy.blogspot.com/
• Vertical Computer Systems, Inc. Files Patent Infringement Lawsuit Against Microsoft Corporation
PR Newswire (Fri, Apr 20)
• Now Solutions Successfully Resolves Its Lawsuit Against Ross Systems
PrimeNewswire (Wed, Apr 18)
http://ragingbull.quote.com/mboard/boards.cgi?board=VCSY&read=187749
Posted by B.Clanton | June 20, 2007 1:28 AM
"written in PHP language, that runs on a webserver with MySQL as back-end"
Wait a minute - does that mean that this infects non-IIS servers?
Posted by gbush | June 20, 2007 8:21 AM
Why I switched to a Mac, I cannot trust using the internet with XP or Vista.
Posted by John Dobbs | June 20, 2007 8:48 AM
the anti-virus companies are just f**king pathetic - NONE of the reports mention what the operating system of the web servers infected are.
right now, i have no clue if its an IIS on Windows or Apache on Linux issue.
Posted by bemused | June 20, 2007 8:53 AM
an italian blog is reporting that all of the servers compromised are IIS 6.0/Windows 2003 servers
http://www.tweakness.net/index.php?topic=3795
"In tutti i casi visti finora sembra che i server compromessi eseguano IIS/6.0 su Windows Server 2003"
Posted by justinf | June 20, 2007 10:43 AM
""The majority of these [infection] reports center on Web sites being hosted on servers in Italy, but there are indications that Web sites in Germany, Brazil and Japan may also be impacted," a Microsoft spokesperson explained in an e-mail responding to a Microsoft Watch request.
Microsoft is conducting its own investigation, and, when completed, the company "will take the appropriate action to address this issue." "
Makes it sound like an MS problem.
"While waiting for Microsoft's response, Web site designers might want to consider doing away with inline frames. Hey, it's just a suggestion."
Also makes it sound like an MS problem.
Not to mention that only Microsoft products seem to be able to be infected in the end-user arena - gotta love drive-by downloads. (sarcasm)
Any clarification for us Apache/*nix setup admins would be nice.
Posted by Jay.Miller | June 20, 2007 12:14 PM
If you understand Italian:
http://www.tweakness.net/index.php?topic=3795
Aruba is an important Italian hoster: it seems that all the infected Aruba servers run IIS/6.0 on Windows Server 2003.
Panda Software published a PDF about MPack
http://blogs.pandasoftware.com/blogs/images/PandaLabs/2007/05/11/MPack.pdf
Vulnerabilities used:
* Internet Explorer (MDAC) Remote Code Execution Exploit - MS06-014
* Vulnerability in Vector Markup Language Could Allow Remote Code Execution - MS06-055
* and so on...
The screenshot you can find here:
http://blog.trendmicro.com/another-malware-pulls-an-italian-job/
is from an italian web site: asp technology on Microsoft-IIS/6.0 (Aruba)
Posted by Tito Brasolin | June 20, 2007 2:46 PM
The exploit is a windows problem. the websites hosting the exploit could be anything. The people posting the exploits to the websites are using harvested user/password info. Again the OS of the web server is not an issue here.
Posted by Larry Offley | June 20, 2007 3:31 PM
If one is tempted to rely on security providers for assuring adequate home surveillance and protection, it would be advisable to obtain a few offers from different firms and to compare them. If you collect the names of other customers you will be able to check if they are indeed satisfied with the service they get.
Posted by Click Here Home Security Systems | March 27, 2008 5:38 AM