In an interview posted on SecurityFocus, a person identifying himself as "DCT" denied that there is a cybergang responsible for creating the MPack tool, a package of malicious software responsible for the latest wave of PC compromises.
"We are just a group of people working together, but doing some illegal business," he said. He also denied any contact with real-world Russian criminals. He said the "Dream Coders Team" (DCT) consists of three people, plus a few other freelancers. The developers are all Russian, while the others are from various countries. He said $ash, an individual often mentioned in association with the selling of the MPack tool, is not one of the three but more of a "marketing director."
The MPack tool is a package of malicious exploits that allow online criminals to compromise PCs. To carry out an attack a user is directed to a site containing a malicious link. The browser then follows that link to a server hosting MPack. The tool then scans the browser for known vulnerabilities and attempts to exploit one for the purpose of compromising the machine. The machine can then be used for identity theft or as a part of a larger botnet.
DCT said that all the publicity surrounding the recent MPack attacks had increased interest in sales of the tool. However, it has also drawn the attention of law enforcement. "In Russia there is a law which forbids (malicious software) creation tools like MPack, (but) we secure our systems to the best possible extent, so that even a police officer would not be able to get the PCs analyzed," said DCT. Despite these precautions, he said that "we will have to shut down the project soon."
As the automated Mpack attack continues to turn thousands of legitimate Web sites into compromised sites offering drive-by downloads of malicious software, security researcher Roger Thompson over at Exploit Prevention Labs reminds us there are other exploits compromising legitimate sites, and some are as easy to find as entering a simple search string on Google. For more than a week (starting before the current Mpack attack), Thompson has been posting a list of dangerous search strings on his blog site. I've collected these and indicated in parentheses some of the known exploits associated.
- atlas mountains country (WebAttacker 2 or MPack)
- rotweiller rescue
- North Padre Island (WebAttacker 2 or Mpack)
- arches national park (WebAttacker 2 or MPack)
- canyonlands national park
- mass lottery
- air disasters in Florida (WebAttacker 2)
- cd key windows xp profesional
- batmobile for sale
- victoria's secret (fake codec)
- pokemon ruby gamesharks
- blue book (mdac exploit)
- IBM stock
- pallet fire
- Nigerian economic and financial crimes
- who's a rat
Exploit Prevention Labs makes LinkScanner, a browser plug-in that will identify and block known exploits on tainted sites before you download the page. There are other safe surfing tools available as well; some are free.
- prev
- 1
- next
