[ISN] MPack Runs Rampant

From: InfoSec News (alerts@private)
Date: Wed Jun 27 2007 - 22:06:23 PDT


Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>

PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:

Risky Business: Managing Risk Through Security 
   http://list.windowsitpro.com/t?ctl=5BC1B:57B62BBB09A692792C2D52B49BBB78C8

Keep Unsecured Machines Off Your Network
   http://list.windowsitpro.com/t?ctl=5BC1D:57B62BBB09A692792C2D52B49BBB78C8

Automated GLBA Security Compliance: Free Report 
   http://list.windowsitpro.com/t?ctl=5BC2B:57B62BBB09A692792C2D52B49BBB78C8


=== CONTENTS ===================================================

IN FOCUS: MPack Runs Rampant

NEWS AND FEATURES
   - Latest ZLOB Plays on People's Desire for Online Video
   - HP to Provide Web Application Security
   - PatchLink Moves to Unify Protection and Control
   - Recent Security Vulnerabilities

GIVE AND TAKE
   - Security Matters Blog: Hack the Beta--Win a Game Box
   - FAQ: Preparing AD for Exchange 2007
   - From the Forum: Preventing Power Users from Creating Shares 
   - Share Your Security Tips

PRODUCTS
   - Continuous Authentication and Encryption
   - Wanted: Your Reviews of Products 

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: Neverfail =========================================

Risky Business: Managing Risk Through Security 
   Every business faces risk. Have you properly assessed your company's 
risk and put a focus on business continuity? Attend this free Web 
seminar and learn how you can ensure seamless recovery of your key 
systems and keep your users continuously connected. On-demand Web 
seminar.
   http://list.windowsitpro.com/t?ctl=5BC1B:57B62BBB09A692792C2D52B49BBB78C8


=== IN FOCUS: MPack Runs Rampant =============
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

The need to secure your Web servers has never been higher. In the past, 
many people worried about potential damage to their company's 
reputation should their site be broken into. After all, a defacement 
negatively affects not only a Web site but also a company's public 
image. 

But there's another more dangerous aspect to keep in mind: Your site 
might be turned into a vicious attack vector, making you responsible 
for damaging any number of innocent peoples' computers. Anyone with a 
public-facing Web site has a serious responsibility to protect its 
visitors. And if you're hosting other peoples' Web sites, your level of 
responsibility is exponentially higher.

A case in point that clearly demonstrates the need for vigilance is the 
relatively new MPack tool--not to be confused with the compression 
software of the same name.

MPack is an automated, intelligent, server-based attack tool that is 
being used to infect untold numbers of computers. It's basically like 
Metasploit, except that targets are pushed towards MPack en masse. The 
tool is PHP-based and is a flexible attack platform complete with a 
back-end management and monitoring interface. The server components are 
used to deliver exploit payloads to browsers, and people place links to 
an MPack server into Web pages all over the Internet. 

The primary motive of MPack is to generate income through criminal 
activity. Its creators have been selling the tool for about $700 since 
at least December 2006 along with attack modules that evolve as new 
attack types become possible. According to Panda Labs, new modules cost 
anywhere from $50 to $150 depending on the level of exploitation a 
module can carry out.

Recently, intruders using MPack established domains to host Web sites 
to contain links to attack code and broke into numerous Web hosting 
accounts (and quite possibly privately operated Web sites) to include 
attack code in the pages of those unsuspecting, compromised Web sites. 
The attack code typically consists of IFRAME tags that tell a visitor's 
browser to load a malicious Web page inside an existing Web page. The 
browser can be instructed to load a malicious Web page without the user 
having to take any action other than to visit the compromised Web site, 
and the IFRAME can be coded to not even be noticeable on the 
compromised site. So the visitor might remain completely unaware that 
exploitation is taking place.

The malicious Web page contains code that, when run, can determine the 
visitor's OS and browser type and then deliver corresponding exploit 
code. Code exists to exploit Windows, Linux, BSD, and Mac OS systems as 
well as at least seven browsers and various components, such as Apple 
QuickTime, WinZip, and other common tools. MPack can also be made to 
instruct a vulnerable computer to download malicious files. From there, 
a huge range of possibilities opens up.

Panda Labs reports that one Web server recently inspected contains 
7,644 Web pages infected with links to MPack-based exploits. Exactly 
how many sites and pages have been infected remains unknown; however 
one trusted source told me that at least one major hosting company 
(which I won't name) found that its servers were compromised through a 
combination of exploits, and as a result, a large number of index.php 
files were overwritten to contain exploits based on MPack. 

In that incident, I was able to take a look at several of the affected 
sites because I know the operators of those sites. The intruders made a 
puzzling choice to completely overwrite every file that contained the 
string "index" with a simple IFRAME tag to launch exploits. Since all 
the index pages for the affected sites suddenly started showing up 
empty, the break-in became obvious sooner rather than later. 

I have no idea why the intrusion was made so obvious. Had the intruders 
inserted an IFRAME tag into existing HTML instead of overwriting pages 
entirely, the intrusion could have gone undetected for a very long 
time, and the number of infected computers would have risen 
tremendously.

If you're interested in more details about MPack, Panda Labs published 
a detailed analysis of the MPack attack platform, available at the URL 
below in PDF format. 
   http://list.windowsitpro.com/t?ctl=5BC20:57B62BBB09A692792C2D52B49BBB78C8


=== SPONSOR: St. Bernard Software ==============================

Keep Unsecured Machines Off Your Network
   Tune into the hottest up-to-date network security protection through 
this exclusive podcast featuring Windows IT Pro editor Karen Forster 
and Microsoft's Ian Hameroff. Learn how Network Access Control (NAC) 
and Network Access Protection (NAP) work and what technologies are 
involved, as well as what third-party products are poised to work with 
these technologies.
   http://list.windowsitpro.com/t?ctl=5BC1D:57B62BBB09A692792C2D52B49BBB78C8


=== SECURITY NEWS AND FEATURES =================================

Latest ZLOB Plays on People's Desire for Online Video
   While ZLOB has been tracked in more than 1,000 renditions since late 
2005, several security firms reported that the latest ZLOB outbreak 
takes social engineering to a new extreme to lure people into its trap.
   http://list.windowsitpro.com/t?ctl=5BC28:57B62BBB09A692792C2D52B49BBB78C8

HP to Provide Web Application Security
   HP will acquire SPI Dynamics, maker and provider of Web application 
security assessment software and services.
   http://list.windowsitpro.com/t?ctl=5BC27:57B62BBB09A692792C2D52B49BBB78C8

PatchLink Moves to Unify Protection and Control
   PatchLink will acquire SecureWave, thereby taking another step 
towards unified protection and control. 
   http://list.windowsitpro.com/t?ctl=5BC29:57B62BBB09A692792C2D52B49BBB78C8

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at
   http://list.windowsitpro.com/t?ctl=5BC22:57B62BBB09A692792C2D52B49BBB78C8


=== SPONSOR: Qualys ============================================

Automated GLBA Security Compliance: Free Report 
   Compliance and knowledge of every aspect of the GLBA is mandatory. 
Through web services, on demand security is automated and immediate 
compliance to the GLBA safeguard guidelines is achieved. Learn how 
comprehensive GLBA compliance is managed through internal and external 
audits.
   http://list.windowsitpro.com/t?ctl=5BC2B:57B62BBB09A692792C2D52B49BBB78C8


=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: Hack the Beta--Win a Game Box
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=5BC2F:57B62BBB09A692792C2D52B49BBB78C8

Here's an opportunity to put a beta security product through the 
wringer and possibly win one of several game boxes in the process.
   http://list.windowsitpro.com/t?ctl=5BC1E:57B62BBB09A692792C2D52B49BBB78C8

FAQ: Preparing AD for Exchange 2007
   by John Savill, http://list.windowsitpro.com/t?ctl=5BC2D:57B62BBB09A692792C2D52B49BBB78C8 

Q: How do I manually prepare my AD forest and domain for Exchange 
Server 2007?

Find the answer at
   http://list.windowsitpro.com/t?ctl=5BC2A:57B62BBB09A692792C2D52B49BBB78C8

FROM THE FORUM: Preventing Power Users from Creating Shares
   A forum participant wants to disallow power users from creating or 
modifying shares. He's looked through Group Policy Objects (GPOs) and 
can't find a way to remove the Shares snap-in under Computer Management 
or just lock it out. If prevention isn't possible, is there a way to 
turn on auditing for share creation? To join the discussion, go to
   http://list.windowsitpro.com/t?ctl=5BC1A:57B62BBB09A692792C2D52B49BBB78C8

SHARE YOUR SECURITY TIPS AND GET $100
   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.


=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Continuous Authentication and Encryption
   2factor announced Real Privacy Management (RPM), a two-factor 
private-key software solution that can be deployed standalone or inside 
a software application, device, or chip. RPM continuously generates new 
256-bit secret keys that are used to mutually authenticate each party 
and to encrypt/decrypt every data transmission in real time. 2factor 
also announced SecureWeb, a small auto-loading applet that invokes a 
secure instance of the user's default browser. SecureWeb runs RPM to 
authenticate and encrypt sensitive transactions. For more information, 
go to 
   http://list.windowsitpro.com/t?ctl=5BC33:57B62BBB09A692792C2D52B49BBB78C8

WANTED: your reviews of products you've tested and used in 
production. Send your experiences and ratings of products to 
whatshot@private and get a Best Buy gift certificate.


=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit
   http://list.windowsitpro.com/t?ctl=5BC2C:57B62BBB09A692792C2D52B49BBB78C8

Black Hat USA 2007, July 28-August 2 in Las Vegas, is the world's 
premier technical event for ICT security experts. Choose from 30 hands-
on training courses and 90 briefings presentations with lots of new 
content and new tools. Network with 4,000 delegates from 70 nations. 
Visit product displays by 30 top sponsors in a relaxed setting.
   http://list.windowsitpro.com/t?ctl=5BC32:57B62BBB09A692792C2D52B49BBB78C8

Improve the security of Linux and UNIX computers by letting them 
authenticate and authorize users through Microsoft Active Directory. 
This white paper shows how you can lower costs, improve security, 
simplify user account management, and demonstrate compliance with 
regulatory requirements.  
   http://list.windowsitpro.com/t?ctl=5BC1F:57B62BBB09A692792C2D52B49BBB78C8

Gain control over the growing amount of file data in your enterprise. 
Learn how file area networks can help you centralize file 
consolidation, migration, replication, and failover. Download this 
eBook and start streamlining your file management projects today!  
   http://list.windowsitpro.com/t?ctl=5BC21:57B62BBB09A692792C2D52B49BBB78C8


=== FEATURED WHITE PAPER =======================================

One of the main concerns in the IT industry today is security. This 
white paper, written by Microsoft MVP for Terminal Services Claudio 
Rodrigues, takes a deep look at security concerns, the available 
solutions, their drawbacks, and a new complementary way of addressing 
today's security issues.  
   http://list.windowsitpro.com/t?ctl=5BC1C:57B62BBB09A692792C2D52B49BBB78C8


=== ANNOUNCEMENTS ==============================================

Introducing a Unique Exchange and Outlook Resource 
   Exchange & Outlook Pro VIP is an online information center that 
delivers new articles every week on messaging topics such as 
administration, migration, security, and performance. Subscribers also 
receive tips, cautionary advice, direct access to our editors, and a 
host of other benefits. Order now at an exclusive charter rate and save 
up to $50! 
   http://list.windowsitpro.com/t?ctl=5BC24:57B62BBB09A692792C2D52B49BBB78C8

Special Invitation for VIP Access 
   Become a VIP subscriber and get continuous inside access to all the 
content published in Windows IT Pro, SQL Server Magazine, Exchange & 
Outlook Pro VIP, Scripting Pro VIP, and Security Pro VIP. Subscribe 
now!  
   http://list.windowsitpro.com/t?ctl=5BC23:57B62BBB09A692792C2D52B49BBB78C8


================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 
below).
   http://list.windowsitpro.com/t?ctl=5BC2E:57B62BBB09A692792C2D52B49BBB78C8
   http://list.windowsitpro.com/t?ctl=5BC31:57B62BBB09A692792C2D52B49BBB78C8

Subscribe to Security UPDATE at
   http://list.windowsitpro.com/t?ctl=5BC26:57B62BBB09A692792C2D52B49BBB78C8

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=5BC30:57B62BBB09A692792C2D52B49BBB78C8
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at
   http://list.windowsitpro.com/t?ctl=5BC25:57B62BBB09A692792C2D52B49BBB78C8

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Jun 27 2007 - 22:14:33 PDT