One mystery solved - it's MPACK not WebAttacker2

Hi folks,

For ages now, we've been seeing certain patterns of exploits, wrapped in distinctive patterns of obfuscation. We saw them start at a particular site in Russia, and gradually spread to _many_ other places, and it was obvious to us that it was being sold as a package. So obvious, in fact, that we blogged about it with the title "WebAttacker is dead, Long live WebAttacker". In other words, there was clearly at least one new kid on the pre-packaged exploit block, but we didn't know what to call it.

Today we do... it's called MPACK (Thanks to Symantec and Panda for figuring that out).

It's been interesting to watch the development of this one, as they've added exploits, and changed their encryption. Like WebAttacker, they track the visitors IPs and won't serve the exploits a second time. They used to say "Sorry! You ip is blocked." but now they just display a grumpy face if you come back for a second look.... like this ... :[ .

At least they have a sense of humor.

We've seen a real uptick in hacked legit sites pointing to other servers that have been hacked and are now MPACK exploit servers, so everyone should be careful for a bit.

Cheers

Roger