2008-01-05

MPack Analysis

Has the ability to serve exploits to a defined set of countries. If it is configured to block duplicate visitors, which is done by checking the MD5 hash of REMOTE_ADDRESS and User Agent String, then changing anything within UAS will serve the exploit again.

If a database is not utilized to track statistics then everything is kept in text files ("ip_${stat}.txt"): 0day, all, expl, firefox, jar, opera7, file, qtlexp, ani2 (e.g. "ip_all.txt").

"users.txt"
used to track visitors to "index.php" if DB isn't used, contains MD5 hash of IP and UAS.

"maketable.php"
creates the necessary DB tables for tracking statistics.

"settings.php"
configuration such as use DB, credentials, exploit only once.

"admin.php"
displays statistics for exploits and loads (requires DB login, via POST).

"stats.php"
displays statistics, requires only the password via GET "?pass=mpack" (seperate from DB credentials).

"flush.php"
deletes all statistics, requires a password via GET "?pass=mpack" (not DB credentials).

"index.php"
serves the obfuscated javascript code, increments total traffic count. Accepts an optional parameter "?id=168" for different loader which will be passed to "file.php". Calculates MD5 hash of IP + UAS, if identical entry is found it will not serve the exploit, returns:
";[" - if DB isn't used, or
":[" - if DB is used.

"file.php"
serves an executable (1st stage), increments exploited counter. Accepts an optional variable via GET "?id=trojan" which is stored on the filesystems as "loader_trojan.exe".

"fout.php"
serves the 2nd stage (last) executable, increments "loads count". Basically, this is the sure way to tell if the 1st stage loader made the callback home.

No comments: