In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude
Monday, July 30, 2007
The IcePack Malware Kit in Action
The IcePack is a rather average web based malware C&C kit compared to for instance, the Black Sun, the Cyber Bot, Mpack, and mostly to Zunker. Average in terms of the lack of unique features offered, which makes me think that it's a hybrid of publicly obtainable stats and exploits rotation modules.
After providing you with in-depth overviews of the WebAttacker and the Mpack kit large scale attacks in previous posts, in this post I'll showcase the IcePack kit in action. As I've already pointed out in a previous post related to the increasing number of malware embedded sites, malware authors are diversifying their traffic aggregation approaches, and are either exploiting the sites themselves, their ISP's CPanel, or using push, pull and passive embedding techniques to achieve their goal.
Listening to your infection? Indeed. In the middle of the month, the Brazil's fan sites of popular music bands such as t.A.T.u and Linkinpark got IFRAME-ed, and had their visitors infected with a IcePack loader. Let's assess the URL within the IFRAME appropriately.
Then, we are taken to a not so sophisticated obfuscation pointing us to the vulnerabilities exploited and the actual binary. Detection rates for the loader so far :
AntiVir 2007.07.28 TR/Crypt.U.Gen
AVG 2007.07.28 Obfustat.AGS
eSafe 2007.07.29 suspicious Trojan/Worm
Ikarus 2007.07.29 Trojan-Downloader.IcePack
McAfee 2007.07.27 New Win32
Panda 2007.07.29 Generic Malware
Sophos 2007.07.26 Mal/HckPk-A
Sunbelt 2007.07.28 Trojan-Downloader.IcePack
Symantec 2007.07.29 Downloader
Webwasher-Gateway 2007.07.29 Trojan.Crypt.U.Gen
File size: 6792 bytes
More screenshots of the IFRAME at Finjan's blog and a comment on evasive attacks : "The toolkit also uses evasive attack. By blocking specified countries and multiple instances from the same IP address, it minimizes exposure to security vendors." Very true. Re-visting it again, I no longer get exploited.
Ice Pack kit screenshots courtesy of IDT Group member while pitching the kit.