160,000 computers infected with Mpack malware downloader

An exploit detected by NanoScan led PandaLabs on the trail to uncover Mpack, a program used to download malware onto remote computers by exploiting numerous vulnerabilites. Mpack has already been used in several cases. One of the versions that PandaLabs has had access to has been used to infect 160,000 computers.

This data was gathered from the statistics component of the application itself. In addition to the number of infections, this page lets cyber-crooks monitor data about the host attacked, grouping them by operating system or browser. It also rates the efficiency of infections by geographical regions.

This tool is sold through online forums for around $700. With each version, the creators offer one year’s free support.

“Mpack offers the type of features you would expect from a legal application. For example, client updates. These updates, effectively different versions of the application, are actually the exploits needed to take advantage of the latest vulnerabilities discovered. There is normally a new one every month and they cost between $50 and $150,” explains Luis Corrons, Technical Director of PandaLabs.

For another $300, clients are also offered DreamDownloader. This is a tool designed to create downloader Trojans. It works in the following way: The hacker tells DreamDownloader the URL in which the file is hosted (a Trojan, a worm, malware updates, etc.), and the utility automatically generates an executable to download it.

“These two tools are complementary. The first lets you infect a user with the malware you choose. The second lets you create this malware which is also designed to download even more malicious code,” adds Corrons.

Mpack attacks

Mpack infects silently. The cyber-crooks use several techniques to get users to run the malicious code. In the case of Web servers, they usually add an iframe-type reference at the end of the file which loads by default and indicates the index page where the MPack is installed.

Sometimes they use the same hacked site to host MPack or other types of malware. The reason they host malware on third-party servers is in order to cover their tracks.

Another infection technique is to include certain words, generally those commonly used in searches, on the host web pages. This way, when the pages are indexed in search engines, users looking for these words can end up on the page containing Mpack and become infected.

Yet another method is to buy domains with similar names to well-known sites. For example, gookle, which only differs in a character from the famous google browser. Users who wrongly enter a character in the browser name could be infected.

And finally, there is, of course, spam. The emails usually contain links and use social engineering techniques to be run.

The exploit, once it reaches a computer, is run and compiles data about the infected computer (browser, operating system, etc.). This information is then sent to and stored on a server.




Share this