world war E
dispatches from the network society

malware blitz on italy

Reports are surfacing of large-scale attacks on Italian web servers using commercial malware software apparently sold by a Russian gang. Ars Technica explains:

Currently at version 0.86, MPack provides would-be malware installers with a complete package that can be installed on any web server that runs PHP with an SQL database. The owners of MPack have been selling it to other criminal organizations for between $700 and $1,000 a pop, with additional exploit modules available for between $50 and $150. For an additional $30, the MPack owners will include a feature that helps prevent the malware from being detected by antivirus programs.

Once MPack is installed, the attackers need to compromise popular web sites (as was done in the Italian attack) in order to inject IFRAME code. The site’s HTML files do not need to be directly compromised, as the code is added dynamically when the page is sent by the server—this makes it less likely that web site owners will notice that anything suspicious is going on.

The IFRAME code then adds a request to the MPack server itself, which analyzes the HTTP request header received from the user’s web browser. It uses this information to determine which exploit it will try to use against the user. The MPack server stores data about which exploits have been tried and which were successful, and even provides the attacker with a handy “management console” to keep track of how many hosts have been compromised. MPack was first discovered for sale in a Russian forum in December 2006, and the security firm PandaLabs has provided a detailed analysis (PDF) on its web site.

Advertisements

One Response to “malware blitz on italy”

  1. […] law enforcement officials. In addition to run of the mill scams, criminal networks are selling packaged hacking toolkits and malware, information about exploits and ready-to-use botnets. But according to the assistant U.S. Attorney […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: