Content

HTool-MPack

Type
Trojan
SubType
Tool
Discovery Date
06/19/2007
Length
N/A
Minimum DAT
N/A ( )
Updated DAT
N/A ( )
Minimum Engine
5.1.00
Description Added
06/19/2007
Description Modified
06/19/2007 9:56 PM (PT)
Risk Assessment
Corporate User
N/A
Home User
N/A

Tab Navigation

Characteristics

MPack is a Web Attack Tool which we are seeing deployed in the wild on web servers. This tool is an application designed to serve malicious content to users accessing compromised websites. We have seen several thousands of website URLs that are compromised and have a hidden IFRAME inserted to redirect unsuspecting users to malicious site hosting the MPack toolkit. The toolkit stores statistical information like Geo Location, Browser Type and Operating System version relating to users accessing bait websites.

 

A typical case scenario in which this tool infects users are as follows:

  • The tool gets initiated when a file [index.php] hosted on a server is accessed by a user.
  • This file determines the browser and operating system of the incoming user.
  • Based on the browser type and operating system a web exploit is served to the user's machine.
  • Post the successful exploitation a payload file is sent to the user and run on the user's machine.

 

McAfee has protection for several of the web exploits that is generated and sent by this tool. A non-exhaustive list is as below:

 

A variety of payloads could be served to users visiting infected websites. At the time of writing this description we have seen compromised servers serving payloads detected as the following:

 

Other MPack related threats seen in the wild that McAfee protects its users with are:

 

Symptoms

N/A

Method of Infection

N/A

Removal

-

Variants

Variants

    N/A

All Information

Overview -

MPack is a Web Attack Tool which we are seeing deployed in the wild on web servers. This tool is an application designed to serve malicious content to users accessing compromised websites. We have seen several thousands of website URLs that are compromised and have a hidden IFRAME inserted to redirect unsuspecting users to malicious site hosting the MPack toolkit. The toolkit stores statistical information like Geo Location, Browser Type and Operating System version relating to users accessing bait websites.

Characteristics

Characteristics -

MPack is a Web Attack Tool which we are seeing deployed in the wild on web servers. This tool is an application designed to serve malicious content to users accessing compromised websites. We have seen several thousands of website URLs that are compromised and have a hidden IFRAME inserted to redirect unsuspecting users to malicious site hosting the MPack toolkit. The toolkit stores statistical information like Geo Location, Browser Type and Operating System version relating to users accessing bait websites.

 

A typical case scenario in which this tool infects users are as follows:

  • The tool gets initiated when a file [index.php] hosted on a server is accessed by a user.
  • This file determines the browser and operating system of the incoming user.
  • Based on the browser type and operating system a web exploit is served to the user's machine.
  • Post the successful exploitation a payload file is sent to the user and run on the user's machine.

 

McAfee has protection for several of the web exploits that is generated and sent by this tool. A non-exhaustive list is as below:

 

A variety of payloads could be served to users visiting infected websites. At the time of writing this description we have seen compromised servers serving payloads detected as the following:

 

Other MPack related threats seen in the wild that McAfee protects its users with are:

 

Symptoms

Symptoms -

N/A

Method of Infection

Method of Infection -

N/A

Removal -

Removal -

-

Variants

Variants -

    N/A