Reflecting on an “Italian Job”

Posted by Robert Freeman on June 20, 2007 at 1:52 PM EDT.

The most important thing to keep in mind about this attack using compromised hosts and the mPack exploit toolkit is that there is nothing unique save for the number of hosts involved. A year ago the popular exploit toolkit was WebAttacker from Inet-Lux. The same many-to-one approach of using multiple compromised hosts to redirect to a singular malicious site was popular. Also, both WebAttacker and mPack can serve up several exploits based on the visitor’s configuration. Granted that mPack bundles some innovations such as server-side (vs client-side JavaScript) analysis of the visitor to determine the best attack to use, an encryption layer for outbound attacks (though seen with later WebAttacker installs too), less predictive malicious URL paths, and a nicer UI for the attackers. Towards the end of 2006, Inet-Lux and WebAttacker sites were phasing out and while we saw mPack use in the wild, I didn’t know it yet by name. Prior to this “Italian Job,” we’ve been seeing mPack use in the wild exploding this year. However, there are other toolkits out there and there is no shortage of malicious talent to construct new ones. Whoever advertises the highest anticipated rate of infection will have a chance to become the weapon of choice. Moving forward, I’m sure we’ll see further larger-scale attacks play out either with mPack or another toolkit.