Professional Exploit Kits: A Brief Analysis of MPack
In recent months MPack has generated quite a buzz within the security community causing web-based exploit toolkits to be identified by many as a new "emerging threat". Before you go out and buy software that security vendors start selling that offers MPack-specific protection (similar to the botnet-specific protection offered by some vendors), let us help set the record straight on how to use these exploit kits and what needs to be done to protect from them.
Motive and Market
In recent years, computer exploitation has shifted from hobby and occasional espionage usage to full-fledged, monetary-driven cybercrime. Credit card and identify thieves have developed large networks for converting raw confidential information into profit. Furthermore, bot-herders have become quite creative (see: BOTNETS: THE TRUE PROTECTION IS PREVENTION AND KNOWLEDGE ) with the "renting" of their botnet time in order to conduct cyber-extortion and massive spamming efforts, which turns in quite a large profit. This shift in motive has made the use of exploit frameworks much more powerful, since it is no longer important to hack a single target for specific information, but rather exploit as many targets as possible in a "spray-and-pray" manner to harvest the largest amount of infected hosts, which eventually will translate into profit one way or another.
The need for a solid exploit framework has evolved directly from this methodology and has become a lucrative software business. In an interview with SecurityFocus (see: http://www.securityfocus.com/news/11476/), the (claimed) author of MPack describes that it only took 3 months for them to move MPack from an internal testing tool to a "commercial project". The authors quickly realized the marketability of MPack and started distributing with all of the classic keywords of legitimate software: reliability, simplicity, support, and updates. The standard rate of MPack with one year of support is approximately $1000 USD, quite a small amount considering the massive profitability potential for malicious users. The developer was quoted as saying "It's just a business. While it makes income, we will work on it, and while we are interested in it, it will live...I feel that we are just a factory producing ammunition."
There is little to no learning curve needed by an attacker to implement an MPack system once purchased. Installation can be accomplished with minimal effort in 5 minutes, and all of the update modules can be installed with a simple FTP client. For the more experienced attacker, the source-code of MPack can easily be modified to allow the addition of
other exploit modules. eEye Research has seen at least two separate MPack servers that were delivering exploits not included with the standard MPack distribution, leading us to conclude that this framework is used by novice attackers and well-experienced attackers alike.
Exploit Methodology
Before an exploit can be delivered, an amount of social engineering is necessary to entice a victim to visit a malicious website. Sometimes this is accomplished by simply sending an alluring email to a massive list of recipients; other times it can be accomplished by exploiting a high-traffic website to infect the daily users. Either way, this is the simple part of exploitation. Once a browse connection is made to an MPack server, the exploit is then launched.
MPack is not using any mysterious zero-day exploits or other voodoo to exploit systems. It is utilizing simple exploits that have been previously published from other sources and are usually reliable exploits. Exploits have included vulnerabilities within Internet Explorer, Opera, Firefox, and multiple browser plugins that could be potentially loaded within browsers. MPack will sometimes remove and add exploits depending on what seems to be the
most widespread vulnerable software. As of version 0.95, the exploits have been for:
MS06-014 - MDAC
MS06-057 - SetSlice
WinZip ActiveX Buffer Overflow (http://www.winzip.com/wz7245.htm)
QuickTime (http://www.milw0rm.com/exploits/3072)
MS07-017 - .ANI
MS06-006 - Media Player Plugin
MS06-044 - MMC
MS07-042 - MS XML
MS06-055 - VML
As is evident from the list, these are hardly new vulnerabilities. However, as a testament to the necessity for client-side vulnerability patching, MPack is still quite successful with these exploits. The authors of MPack modules understand that users and administrators do not always roll-out the latest software patches, and are going to leverage that mistake to infect systems.
To deliver the exploit, MPack first deciphers the victim's browser type and version. Following this, it will serve an exploit specifically designed to attack that browser and version, as well as any potential plugins/ActiveX controls that may be installed as well. Exploits have all been delivered via JavaScript, which allows the attacker to run
exploit code reliably on the remote user. Furthermore, this JavaScript code is "obfuscated", which means that it is mutated to a certain degree so that it is only understood by the JavaScript engine and not to human eyes or simple IDS signatures looking for specific strings. On top of all of this, a layer of complication is added to researching MPack-infected systems by utilizing a black-listing feature. If an MPack server thinks that a researcher or security vendor is trying to make non-infecting connections to the MPack server, that "victim" is black-listed from any future requests and a benign response is delivered, ironically exactly what the research was hoping not to get.
None of the exploitation techniques performed by MPack are new or innovative. However, they are implemented in a quite reliable way so that even the most technically unsavvy user has the power to infect a large amount of victims.
Payload System
Once a system is exploited using any one of the previously mentioned exploits, a binary is downloaded from the same webserver and then executed on the victim's host. This payload is normally a keylogger or botnet software. The keylogger software has the primary purpose of intercepting sensitive communication so that the attacker can steal the
identity of the victim, while the botnet software is used by a bot-herder to add yet another zombie to the
command-and-control server. eEye Research has seen mixed use of both payload types, which further explains the marketability of MPack to a wide variety of cybercriminals.
The payloads seen by many live MPack systems analyzed by eEye Research normally have an approximately 30% detection rate by anti-virus systems. Of those anti-virus systems, the malware was normally detected mostly by behavior-based engines rather than the signature based ones. Furthermore, while re-analyzing an MPack site, eEye Research noticed that the malicious binary had actually been switched out 3 times within a 24-hour period. Since this is simply
accomplished by the MPack administrator overwriting a binary file on the webserver, it should be assumed that the malware being served from MPack sites has the potential to change incredibly fast, making it even more difficult for any signature-based AV companies to keep up, no matter how large.
Protection Solutions
With this brief analysis, the tools necessary to protect from MPack and other wide-scale exploit toolkits should be obvious: generic, host-based IPS and anti-virus systems. Generic protection is a necessity because of the rapidly changing exploits, the high-degree of exploit manipulation making exploits look completely different but just as
potent, as well as the quick replacement of signature-less malware. Furthermore, this protection can only be accomplished locally since malicious code can only be parsed by protection engines installed on the host. This could possibly change in the future as network-based IDS systems could potentially add JavaScript decryption engines to their devices, but this becomes a cat-and-mouse game where the developers of the exploit toolkits are much more mobile than the large
network IDS vendors and able to put out new code much faster.
There is no need to MPack-specific protection suites to secure your environment. Some host-based security vendors already have the necessary means to protect you from all known MPack exploitation attempts. There are many lame ducks out there that will end up being exploited because they have not installed a solid endpoint protection suite and have not kept up-to-date on their patching. However, vigilant users who make sure their security software is well adapted
for these threats and users who also maintain the latest patches from their software vendors will emerge from MPack attacks unscathed.
For more information on how eEye products can be used to thwart MPack attacks, please contact eEye sales.
For more detailed technical information regarding MPack or any other security incidents or trends, please href="mailto:services@eeye.com">inquire about Preview, the security intelligence offering from eEye Research.
Source: Andre Derek Protas, Director of Research and Preview Services |
The following articles represent the opinions of their respective authors. They do not necessarily represent the opinions of eEye Digital Security.
Network Security Podcast with Martin McKeay and Marc Maiffret of eEye Digital Security
"Podcast with Marc Maifrett, Chief Technology Officer for eEye Digital Security discussing how to protect networks and information" Full Article Smart Computing: Blink Personal Edition
"Think most security software is too expensive? How does free grab you? eEye Digital Security, a commercial security and vulnerability solution developer with a formidable client roster, has entered the consumer PC security market with a comprehensive offering. Best of all, it is free for the first year to consumers in Canada and the United States." Full Article The failure of URL filtering in an increasingly dangerous web world
"In a recent study, Google reported that in an in-depth analysis of 4.5 million websites over a 12-month period, it discovered 450,000 sites were successfully launching drive-by-downloads of malware code." Full Article QuickTime Bug Gives Hackers New Drive-by Attack
"The bug, when paired with Firefox, allows hackers to hijack PCs and Macs" Full Article |
eEye Product Demonstrations
Join eEye Digital Security, the leader in network security, for a discussion on how organizations of all sizes can leverage Blink Professional client security to reduce the number of security agents down to one small client, protecting their business against known exploits, zero day attacks, and all other attack vectors. Join a discussion on how Retina Network Security Scanner to Reduce your exposure to attack and mitigate network and business risk. Full Article Vulnerability Expert Forums
The monthly Vulnerability Expert Forum focuses on recently announced critical vulnerabilities - from Microsoft and other software vendors. eEye's Internet security experts will describe the actions necessary to protect your systems from the threats that target these vulnerabilities. Full Article Join eEye Digital Security at SANS Network Security 2007
Please join us in Las Vegas, NV September 24th and 25th, for this first-class event!
The course schedule for SANS Network Security 2007 features the full lineup of over 50 courses in the disciplines of audit, security, management and legal. We are also hosting a series of classes presented by outside partners such as government initiatives on DIACAP and NIST, Secure Coding in C + C++, and a series of courses from the Advanced Computing Systems Association.
SANS events offer much more than just training. This is the place to meet other information security professionals, to discuss new products with vendors, to participate in online challenges, and listen to world-class guest speakers. You can always count on the SANS promise what you learn in the course you will be able to apply the day you get back to the office. Full Article eEye to Offer Determina Customers Upgrade Incentive Program
eEye to offer an incentive program for customers of Determina’s VPS endpoint security product to encourage them to switch to eEye’s award-winning Blink Professional endpoint security product. Full Article |
News & Articles
Announcements
Tech Talk
Reader Q&A
Etcetera