MPack - The Italian Job
Online criminals have recently launched a wide spread web attack, which turns legitimate websites into weapons, security vendor. The attack began late last week and by Monday morning, more than 10,000 Web sites had been compromised, according to security firms Trend Micro Inc. and Websense Inc. 80 percent of the infections are on Italian Web sites.
Almost all of the Web sites we saw this weekend were in Italy; We were referring to it as ‘Italian Job 3,’ in-house.
Most of the infected Web sites are legitimate, “These aren’t porn sites, they aren’t gambling sites; they are hotels, fish-and-tackle sites, tourist information”
said David Perry, global director of education with Trend Micro.
Even local Italian government Web sites have been infected, and most of the affected sites are hosted by one of Italy’s largest Web service providers
Infected Web sites contain a short piece of HTML “iFrame” code that redirects the victim’s Web browser to a server that attempts to infect the victim’s computer using a tool called “MPack“.
It is a piece of code, usually hosted on victim’s server, written in PHP. It uses a variety of exploits and automatically chooses which exploits are needed on each target computer. MPack creators call themselves “Dream Coders Team”.
Bookmark This!
I am Filipino Web Developer, focusing on PHP in LAMP framework. As a kid, I spent a lot of my time exploring computers and computer games from Atari to PS, from INTEL 80286 - CoreDuo. I am happily married, with two kids. Currently working in Japan as an IT Engineer.
June 20th, 2007 at 8:06 pm
What can you do to protect yourself? For end users, keep your endpoints patched antivirus up-to-date. For Symantec users, there is a good article at sharpebusinesssolutions.com/savce_upgrade.htm describing how to keep SAV agents healthy and under support. For admins of affected web sites, a simple clean-up of the page is not sufficient - your site administrator’s credentials need to be changed. There are easy to use tools available for MPack to use to reinfect your sites even after you have manually cleaned them up. These automated tools are being fed lists of compromised site admin usernames and passwords, so make sure that you put a strong password on your site admin account.