Friday, June 22, 2007

The MPack Kit Attack on Video

Video demonstration of MPack courtesy of Symantec, goes through various infected sites and showcases the consequences of visiting them : "This video demonstrates how a system is compromised by a malicious IFRAME and how the MPack gang has accomplished this on literally thousands of websites (mostly Italian) through usage of an IFRAME manager tool."



Meanwhile, dekalab.info is yet another malicious URL exploiting MDAC ActiveX code execution (CVE-2006-0003) for you to analyze, among the many already patched vulnerabilities used in the latest version of Mpack. The question remains - how many zero days are currently exploited in the wild through the MPack kit? The "best" is yet to come, paying attention to the periodical new supply of loaders -- 58.65.239.180 got last updated Date: Thu, 21 Jun 2007 22:02:08 GMT -- indicates commitment.

Input URL: dekalab.info
Responding IP: 203.121.78.127
203.121.64.0 - 203.121.127.255
TIME Telecommunications Sdn Bhd

Interesting enough, the original source of the IFRAME attack 58.65.239.180 remains active, still acting as a redirector to 64.62.137.149/~edit/ which is again an exploit embedded page generated with the MPack kit :

- 58.65.239.180
58.65.232.0 - 58.65.239.255
HostFresh

- alpha.nyy-web.com (64.62.137.149)
64.62.128.0 - 64.62.255.255
Hurricane Electric

Evasive malware embedded attacks are aiming the improve their chances of not getting detected. If your browser cannot be exploited all you will see at these IPs/URLs is a :[ sign, the rest is the obfuscated javascript attack you can see in the screenshot. Here's the deobfuscated reality as well. Periodically monitoring these IPs will result in a great deal of undetected malware variants. AVs detecting the current payload

eTrust-Vet - Win32/Chepvil!generic

File size: 7283 bytes
MD5: ae4e60d99ec198c805abdf29e735f1a7
SHA1: b0d1b68460683d98302636ab16a0eaa4b579397d

Aruba.it's comments on the case as well. Now, let's move on, shall we?
- No comments:

A Blacklist of Chinese Spammers

With China no longer feeling pround of its position in the top 3 main sources of spam on a worldwide basis, the coutry is going a step beyond the bureaucratic measure to fight spam by licensing email servers undertaken back in April, 2006, and has recently launched a blacklist of Chinese spammers :

"The comprehensive anti-spam processing platform (http://www.iscbl.anti-spam.cn/) will post a regularly updated blacklist of spam servers, allowing telecom operators and mail service providers to access the information. Over 100,000 IP addresses have been blacklisted thanks to public reports, said Zhao Zhiguo, vice-director of the telecommunications department of the Ministry of Information Industry. A "white list" of mail service providers will also be posted on the website, boosting the development of lawful mail service providers, such as the country's big players Sina, 163 and Sohu. ISC Secretary-General Huang Chengqing said the website will gradually open to the public and businesses to accelerate anti-spam efforts domestically and internationally."

And despite that major blacklist providers have been providing such lists for years, China's inside-towards-outside approach is a great example on the most effective, yet not so popular approach of dedicating more efforts into filtering outgoing spam, compared to the current approach of filtering incoming one. Only if responsibility is forwarded to the ISPs doing nothing to filter outgoing spam -- who will later on offer you a free spam protection to differentiate their USP -- we can start seeing results. 7h3 r3$t i$ a cat and mouse game, and overall decline in the confidence and reliability of email communications.

World spamming map courtesy of Postini.
- No comments:
Subscribe to: Posts (Atom)