MPack Analysis

Published: 2007-06-20
Last Updated: 2007-06-20 21:42:28 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

We mentioned a large MPack compromise in a diary two days ago.  Since then we've been accumulating more information about what is going on behind the scenes.  Earlier today VeriSign/iDefense released some pretty good analysis of how it works, what the value of it is, and other goodies.  This summary does not exist online but has been spread via email to the media and other outlets.  Rather than trying to summarize it, iDefense gave the Internet Storm Center permission to reprint it in its entirety.  Thanks, iDefense!

Greetings All,

MPack is the latest and greatest tool for sale on the Russian Underground.  $ash sells MPack for around $500-1,000. In a recent posting $ash attempted to sell a "loader" for $300 and a kit for $1,000. The author claims that attacks are 45-50 percent successful, including the animated cursor exploit and many others, including ANI overflow, MS06-014, MS06-006, MS06-044, XML Overflow, WebViewFolderIcon Overflow, WinZip ActiveX Overflow, QuickTime Overflow (all these are $ash names for exploits). Attacks from MPack , aka WebAttacker II, date back to October 2006 and account for roughly 10 percent of web based exploitation today according to one public source.

More than 10,000 referral domains exist in a recent MPack attack, largely successful MPack attack in Italy, compromising at least 80,000 unique IP addresses. It is likely that cPanel exploitation took place on host provider leading to injected iFrames on domains hosted on the server. When a legitimate page with a hostile iFrame is loaded the tool silently redirects the victim in an iFrame to an exploit page crafted by MPack. This exploit page, in a very controlled manner, executes exploits until exploitation is successful, and then installs malicious code of the attacker's choice.

Torpig is one of the known payloads for MPack attacks to date. This code relates back to the Russian Business Network (RBN), through which many Internet-based attacks take place today. The RBN is a virtual safe house for attacks out of Saint Petersburg, Russia, responsible for Torpig and other malicious code attacks, phishing attacks, child pornography and other illicit operations. The Italian hosts responsible for most of the domains seen in a recent MPack attack are using cPanel, a Web administration tool for clients.  A zero-day cPanel attack took place in the fall of 2006 leading up to the large scale vector mark-up language (VML) attacks at that time.  It appears likely that the Russian authors of the cPanel exploit,, who are also related to the RBN used the exploit to compromise the Italian ISP and referral domains used in the latest mPack attack.

MPack uses a command and control website interface for reporting of MPack success. A JPEG screenshot of a recent attack is attached to this message.


1.  MPack is a powerful Web exploitation tool that claims about 50 percent success in attacks silently launched against Web browsers.

2. $ash is the primary Russian actor attempting to sell mPack on the underground, for about $1,000 for the complete MPack kit.

3. MPack leverages multiple exploits, in a very controlled manner, to compromise vulnerable computers. Exploits range from the recent animated cursor (ANI) to QuickTime exploitation.  The latest version of mPack, .90, includes the following exploits: 

          WinZip ActiveX overflow
          QuickTime overflow

4. The Russian Business Network (RBN) is one of the most notorious criminal groups on the Internet today.  A recent MPack attack installed Torpig malicious code hosted on an RBN server.  RBN is closely tied to multiple attacks including cPanel exploitation, VML, phishing, child pornography, Torpig, Rustock, and many other criminal attacks to date.  Nothing good ever comes out of the Russian Business Network net block.

5. MPack attacks experience high success, according to attack log files analyzed by VeriSign-iDefense.  In just a few hours more than 2,000 new victims reported to an MPack command and control website.  A recent attack, largely focused in the area of Italy, involved more than 80,000 unique IPs.

Ken Dunham
Senior Engineer
Director of the Rapid Response Team

Marcus H. Sachs
Director, SANS Internet Storm Center


0 comment(s)


Diary Archives