Tuesday, August 7, 2007

MPack Developer: "Just Creating Ammunition"

An article appeared on the SecurityFocus website a few weeks ago containing an interview with the developer of the MPack Infection Kit, a Russian-based malware-creation toolkit that retails for between $750 and $1,000 on the Internet.


According to Symantec (who made this movie), MPack presents itself as an IFRAME Manager tool, basically an FTP updater client, written in PHP language, that runs on a webserver with MySQL as back-end. It takes as input a list of website administrator accounts (possibly obtained in the black market). It then periodically checks the home pages of those sites to inject a chosen IFRAME into their code.

Nasty stuff. And well-organized - and, apparently, well-funded. In the SecurityFocus interview, the developer appears to not be too concerned about forking out $10,000 for an exploit:

"For our pack, there are two main methods of receiving exploits: The first one is guys sending us any material they find in the wild, bought from others or received from others; the second one is analyzing and improving public reports and PoC (proof-of-concept code).
We sometimes pay for exploits. An average price for a 0-day Internet Explorer flaw is $10,000 in case of good exploitation.'

The actual impact of MPack on consumer computing is not known with precision. The developers claim only "tens" of copies of the software have been downloaded. However, the developer appears to admit "tens of thousands" of web pages have been compromised, which lends credence to the claim by SecurityFocus that exploits based on MPack have compromised "hundreds of thousands" of computers.

In the interview, which can be found here on Register.com, the "developer" of the malware toolkit admits that he knows what he is doing is illegal - "we are just a group of people working together, but doing some illegal business" - and that he is aware of Russian laws covering the nature of his work.

He also goes on to illustrate that he cares nothing about the consequences of his work.

Q. Do you feel sorry for the people whose machines are infected by an attack?

A. Well, I feel that we are just a factory producing ammunition.

He then further goes on to complain that "AVers" (i.e. antivirus companies, like Authentium), are painting him as a criminal.

"AVers want to make an image showing us like bad guys stealing something from a store, etc. But really, almost none of my friends have any contact with criminals about our work or anything else."

Authentium to MPack Developer: you *are* an Internet criminal. You are not just "supplying the ammunition", you are fueling the battle by supplying criminals, and making the Internet worse for hundreds of thousands of consumers.

Which is why, one day, you will end up in jail. Hopefully, for a very long time.

Note: Symantec's blog has an excellent posting on this malware.

No comments: