Business model based on the malicious MPack tool
PandaLabs has discovered the new 0.90 version of the malicious tool Mpack, available for US$1000 on the Web. This application could be defined as “a kit for installing malware through exploits”, as it can detect and download exploits for numerous security holes.
The cyber-crooks even offer one year’s free support to those buying this version. Hackers that want to update Mpack with new exploits can buy them for between $50 and $150 per exploit.
The infection process starts with a hacker accessing a web page and adding an iframe reference pointing to the server with Mpack installed. If a user then visits one of these pages, the iframe executes the Mpack index. This then searches for vulnerabilities on the user’s computer. If it detects one, it downloads the corresponding exploit.
The PandaLabs study confirms that there could be as many as 350,000 affected Web pages active at the moment.
The exploit, once it reaches a computer, is run and compiles data about the infected computer (browser, operating system, etc.). This information is then sent to and stored on a server. PandaLabs has located 41 servers receiving this data. From these servers the cyber-crooks can generate statistics about the type of operating system or Web browser on affected systems or the number of infections in a given area.
Hackers use a number of techniques to get users to visit the pages, including spam, using trick domains (e.g. gookle, instead of google,) or infecting pages that already receive numerous visits.
PandaLabs has published a complete study of Mpack.