Ok .... now we really think we've seen one. Let us explain...
The original WebAttacker was a set of exploits sold as a package. The idea was to allow would-be evil WebMeisters to add drive-by downloads to their websites for whatever reason they might have. The original developers would release a new version every other month or so. As new exploits were discovered, the WA authors would add them to their package. All went well (for them) until about September 2006, when they tried to add one of the September 0-days, and their implementation was buggy. It just didn't work. The next couple of months saw them trying to add a couple more exploits-du-jour, and unforch, they didn't work either. Their user base abandoned them for other packages (which we now now to be MPack, IcePack and Neosploit) which _did_ work, and they lost their market share. WebAttacker went the way of any software package that doesn't work.
This weekend, however, it seems that they've re-surfaced. Our researchers have noticed URLs being spammed out, with exploit packages that look similar to Mpack/ Icepack but different, and very reminiscent of the original WebAttacker... exploit urls are reminiscent... launcher scripts are reminiscent, even to the point of determining if they are running on the archiac Windows 98 (but then doing nothing with that information). Nothing newer than ANI (MS07-017), but it doesn't include Winzip and Quicktime, which again makes it different from MPack/ Icepack.
It looks like they're ba-a-a-ack!
Labels: webattacker mpack