Monday, July 30, 2007

The IcePack Malware Kit in Action

The IcePack is a rather average web based malware C&C kit compared to for instance, the Black Sun, the Cyber Bot, Mpack, and mostly to Zunker. Average in terms of the lack of unique features offered, which makes me think that it's a hybrid of publicly obtainable stats and exploits rotation modules.


After providing you with in-depth overviews of the WebAttacker and the Mpack kit large scale attacks in previous posts, in this post I'll showcase the IcePack kit in action. As I've already pointed out in a previous post related to the increasing number of malware embedded sites, malware authors are diversifying their traffic aggregation approaches, and are either exploiting the sites themselves, their ISP's CPanel, or using push, pull and passive embedding techniques to achieve their goal.

Listening to your infection? Indeed. In the middle of the month, the Brazil's fan sites of popular music bands such as t.A.T.u and Linkinpark got IFRAME-ed, and had their visitors infected with a IcePack loader. Let's assess the URL within the IFRAME appropriately.

URL : hllp://my-loads.info
IP : 203.121.71.165
Response : HTTP/1.1 200 OK
Date: Mon, 30 Jul 2007 01:02:43 GMT
Server: Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.8a PHP/5.2.3 mod_perl/1.29
FrontPage/5.0.2.2510
X-Powered-By: PHP/5.2.3
Transfer-Encoding: chunked
Content-Type: text/html

Then, we are taken to a not so sophisticated obfuscation pointing us to the vulnerabilities exploited and the actual binary. Detection rates for the loader so far :

AntiVir 2007.07.28 TR/Crypt.U.Gen
AVG 2007.07.28 Obfustat.AGS
eSafe 2007.07.29 suspicious Trojan/Worm
Ikarus 2007.07.29 Trojan-Downloader.IcePack
McAfee 2007.07.27 New Win32
Panda 2007.07.29 Generic Malware
Sophos 2007.07.26 Mal/HckPk-A
Sunbelt 2007.07.28 Trojan-Downloader.IcePack
Symantec 2007.07.29 Downloader
Webwasher-Gateway 2007.07.29 Trojan.Crypt.U.Gen

File size: 6792 bytes
MD5: ce3291be2ded8b82fc973e5f5473b1fe
SHA1: fcf4cab3ade392c611c95e16c913fbc967577222

More screenshots of the IFRAME at Finjan's blog and a comment on evasive attacks : "The toolkit also uses evasive attack. By blocking specified countries and multiple instances from the same IP address, it minimizes exposure to security vendors." Very true. Re-visting it again, I no longer get exploited.

Ice Pack kit screenshots courtesy of IDT Group member while pitching the kit.