MPack Hacking Creates Italian Job Trojans

When I first heard of the “Italian Job”, I thought it was some kind of new sex activity. Unfortunately, it’s nothing that good. It’s the name Trend Micro has given to an internet threat which started to appear on Italian web sites recently. It’s not a new threat but it’s growing and getting a lot of press coverage this week.

Trend Micro and others have identified the infection and how it works on thousands of web pages. What’s still unclear is how so many legitimate sites have had their top level pages hacked.

The source of the infection appears to have been created using a Russian based hacker tool kit called “MPack”. For under a thousand U.S. dollars, you can install MPack and using its control panel, anonymously monitor the success of your malware around the world. MPack version 0.92 also comes with a number of examples that can help you deploy keyloggers, remote bots and worms using a variety of known vulnerabilities in Windows.

The current threat in Italy is using Javascript code to create an <IFrame> element that redirects users to a new IP which attempts a buffer overflow infecting the users machine. Other examples in MPack use what we’ve called the ANI Vulnerability that Microsoft patched in April as well as Vulnerability in the Microsoft Data Access Components, Vulnerability in Windows Media Player Plug-in, Vulnerability in Vector Markup Language, Vulnerability in Microsoft Management Console, and Vulnerability in Microsoft XML Core Services. New exploits can be purchased as they are discovered.

MPack has been used for a variety of reasons. Everything from capturing passwords from financial institutions to just increasing traffic to a hackers Google Adwords page.

While all the security companies have spent plenty of time analyzing how MPack works, nobody seems to know how so many legitimate website are getting hacked. It sounds like the security companies need to spend more time designing and selling products to Internet Service Providers than just the average consumers.