Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Massive MPACK Compromise

If you're confused and thinking of the mime packer at this point, then
you haven't heard of "the other" mpack.  Let me introduce to you the
relatively new kid on the block.  MPACk is a tool that was first
discovered in December of 2006 by PandaLabs.

Its an PHP based application designed to run on a server.  With it
comes several different exploits (you can buy new ones to add on)
which can be used to compromise a user's system based on what they are
running.  There are different methods to get a user to access the
compromised server.  One of the more popular methods being used right
now is an IFRAME.  Websites are compromised and IFRAMES are placed on
the sites pointing to the MPACK server.

Another interesting characteristic of this tool is the fact it has a
database backend.  What this allows is the tracking of information and
report generation on all the infected systems.  Right now its being
reported by Websense that there are over 10,000 compromised systems
all with IFRAMES pointing to the MPACK server.

As a side note, keep your eye out for another tool called
DreamDownloader that is usually sold with MPACK.  DreamDownloader is
dangerous script kiddie toy.  All they have to do is tell the tool the
URL where the file is located that they want downloaded and it creates
an executable (with your choice of packers) that carries out the

For more information, check out these sites:


165 Posts
ISC Handler
Jun 18th 2007

Sign Up for Free or Log In to start participating in the conversation!