Mpack? It's only the tip of the iceberg

As a member of Prevx Research Labs, I'm proud to announce that as of today Prevx has a weblog where the whole research and development team can write, with the goal of notifying, warning or simply sharing our thoughts with all the customers of Prevx 2.0 and others who take an interest in this space we have created.

I will start this blog by focussing on a subject that has been much talked about on many security blogs and in the international media: the so-called "italian job", or the mass-attack to italian websites, whose webpages were modified to include a dangerous that redirects to a server used to spread malware.

Reading some websites, I have noticed that some commentators have misrepresented the situation, overstating results and minimizing the causes of what happened.

Some commentators have misrepresented the situation, overstating results and minimizing the causes of what happened.

Thousands of italian websites hosted on a big italian ISP were modified and an was added, so that websites were silently redirected to a bridge server. This last one redirects browsers again to a main central server, on which there is a MPack kit.

I’m not going to focus on the MPack kit; plenty of websites have already talked about it. Briefly, the MPack kit can detect the source IP of a surfer's clients, save it and then, analyzing the browser's user agent, launch some exploits to install into victim's pc a trojan downloader.

Ok, in the world there are lot of servers on which MPack kit is installed: indeed this kit is largely used to launch attacks against surfers because it puts together effective tools to get into pcs that have software versions which haven’t been updated.

What I want to focus on is this question: how did attackers have access to thousands of websites? My first thoughts were that they were using zero-day exploits on some services running into hosting servers, or that they had discovered on a hosting server a vulnerable website and then, from it and exploiting bad hosting configuration, got to the root of the server and modified all the websites. Possible?

Thousands of websites hosted in several servers were compromised. If you even could think that the servers’ configurations are all the same, so if there's a config vulnerability it'll exist on all servers, you'll have to find on every server at least one vulnerable website and then start the attack from it. Rather a lot of hard work.

Then we saw that there are some automated tools which, with webmaster credentials, can automatically check for the presence of in webpages and add it on to them.

Nice tool, but then another question arises: where have the attackers got thousands of websites’ credentials to get full access to the websites? Weak passwords? It could be, but it's hard, because usually passwords are given by the ISP directly. Let’s however suppose that they got access through weak passwords: then thousands of websites had weak passwords and all were discovered by attackers? This sounds unlikely to me.

What happened then? A phishing attack to get passwords of website administrators? Again, it’s possible but unlikely, because I strongly doubt (and I hope) that thousands of webmasters would give their passwords through email without at least checking if it's a phishing attack.

A more persuasive idea is that the attack took place through a theft of credentials from the ISP. This could be achieved by using a zero-day exploit some time ago, when the exploit was first published and could be used before companies patched their software. It's not necessary that this kind of attack is carried out immediately before the mass-injection attack, it could be done months before and, perhaps, it could even be done by some other party instead of by the same perpetrator of the attack.

What is unclear to observers outside Italy is that this kind of attack is not new. Before this big italian hoster, another italian hosting company got the same attack and several websites hosted by them were compromised with the same that redirects to the same IP.

Both companies still haven't released comments on what happened, except in a hint to change user passwords.

Prevx analysts have been working on this case since the mass injection attack appeared in April/May 07 with the first hosting company and Prevx 2.0 customers are protected from this threat.

So, again, everyone is talking about MPack but Mpack is only the "tip of the iceberg".