Mpack, developed by Russian hackers, is a collection of exploits that compromises the security of infected PCs. Close to 200 porn domain names have been hacked to redirect to servers hosting Mpack. The attacks were said to have begun June 17.
“The pornographic sites, which tend to specialize on incestuous content, have an obfuscated I-Frame code appended at the end of the HTML code,” Ryan Flores said on the Trend Micro blog. “This I-Frame redirects to another domain that will serve a script file to download a copy of TROJ_AGENT.QMN. Right now, we are not sure whether the porn sites are compromised to host the I-Frames, are created to do so, or are being paid to host the I-Frames.”
Symantec security analyst Amado Hidalgo told Computer World that he believes the “Mpack gang appears to be using an I-Frame manager tool to automate the task on a large scale,” which is how the hackers were able to infect so many sites in a short time. This manager tool is successful because it injects the malicious I-Frame code to the sites’ HTML that redirects surfers to the Mpack server.
“It takes as input a list of website administrator accounts, possibly obtained in the black market,” Hidalgo said. These accounts are logged into the manager tool, which enables previously purged sites to become re-infected.
“A simple cleanup of the page is not sufficient,” Hidalgo said. “The site administrator’s credentials need to be changed.”
Mpack was created by a hacker who goes by the name $ash. The toolkit sells for around $1,000.