In the last hours, many things have been said about the MPack massive infection with more than 10.000 affected websites. For more information, visit the Websense site http://www.websense.com/securitylabs/alerts/alert.php?AlertID=782 .
Although the data is astonishing, we are not very much surprised, as we carried out a small study about MPack, and in 2 months (April & May 2007) we discovered 41 different servers, and the statistics were frightening: more than 1 million users infected (1217741), and the iframe code was present in 366717 web pages.
We don’t think that those 366717 websites had been hacked and infected manually one by one.
Although we haven’t already found it, it seems that they are provided with a program that looks for vulnerable web servers, where it accesses the main file that loads the web page and adds an iframe reference to Mpack, so that the users who visit these websites are infected too.
The version 0.90 of Mpack has recently come out. Among the last changes of this version, there are the following:
– The capability to infect only in certain countries.
– The stats.php has been replaced by the admin.php. Now not only a password is required but also a username. As a result, it is much safer.
– Update in the encryption module. This way, the exploits it uses are more difficult to detect.
– And several small changes in the interface, bugs correction, etc.
– Its price has increased from $700 to $1000.
Up to the moment, we have located 4 active servers with this new version.