December 20, 2007
A friend asked me to spruce-up his web site a little so last night I took a look at it. There was a NoScript logo at the top-left corner that shouldn't have been there so I looked at the source and found a blank IFRAME (0 pixel height and width) that called a PHP program at a domain obscured via IP address. I checked the owner of the IP address and found that the /22 it was in was registered to the RBN (Russian Business Network).
That did it. I decided to run an all-night research session. Learning about Anon Systems in BGP, the RBN, MPack, and IcePack.
The exploit (MPACK) has been around for about a year but there have been a couple of flare-ups since then. One was about the same month that my friend wrote his web-site.
MPACK is an exploit writing kit that works dynamically. It analyzes your browser, OS, and installed programs which it records on a server for advertising purposes. Then it decides which exploit is best to use in your environment. It also uses a series of reflectors and redirects to obscure the identity of the MPACK server. Then it downloads even more exploits.
It costs about $500 to $1000 and comes with 1 year of support and updates. There is also a cheaper copycat program that is available for $30 (it only has two possible exploits) with the "deluxe" version for $700. It also doesn't keep track of the analysis like MPACK does. Both Panda and Symantec have good papers on them but Panda's is best ("MPACK uncovered" and "ICEPACK uncovered"). They didn't have the latest version of MPACK but bought the latest ICEPACK off an IRC channel.
I read an old (July) but interesting write-up at SecurityFocus which included Robert Lemos's interview with the authors (off ICQ). They claimed they were only like an ammunitions factory and they weren't making the guns.
For example: Lemos: How do you get the exploits for MPack? Do you buy them? DCT: For our pack, there are two main methods of receiving exploits: The first one is guys sending us any material they find in the wild, bought from others or received from others; the second one is analyzing and improving public reports and PoC (proof-of-concept code). DCT:We sometimes pay for exploits. An average price for a 0-day Internet Explorer flaw is US$10,000 in case of good exploitation.
The RBN was also interesting. Western security teams like iDefense, SANS, SpamHaus, etc. condemn them as the worst servers around. According to the western groups, they host child pornography, SPAM, exploits, botnets and more. For about $600 per year you could hire them to shield you from being shutdown. Of course RBN says the western groups are just a bunch of "greedy xenophobes" who are trying to drum up business with FUD just like Bush exaggerated the threat of WMD in Iraq. (Their analogy.)
It seems they own or are in control of several Autonomous systems (AS) off the Russian backbone and are able to shift servers around with ease.
The authors of MPACK said the best way to shield yourself from it is to "use OPERA with scripts and plugins disabled". Back then they had an exploit for Firefox and Opera. But thanks to NoScript it never got to me.
SECSIG meets in the Science building 203 at 11:15 am.
By attending the SECSIG you can ask questions and open discussions about troubling situations you are having now.
The RSS feed address is http://ocsecsig.blogspot.com/atom.xml
Dave Keays, SIG leader