Trend Micro initially reported the infection of seemingly legitimate Web pages loaded with malicious code that can install keyloggers to steal user passwords or turn computers into proxy servers for various other attacks.

The malware takes advantage of iFrames, which are commonly used on Web sites to nest content within pages. Trend Micro researchers believe the malware was generated with a Trojan-creation toolkit called MPack.

Trend Micro data indicates that tens of thousands of users worldwide have accessed malicious URLs, oblivious to the MPack threat. VeriSign's iDefense, for its part, is reporting that the MPack attacks are gaining momentum.

50/50 Success

"MPack is a powerful Web exploitation tool that claims about 50 percent success in attacks silently launched against Web browsers," said Ken Dunham, senior engineer and director of the rapid response team at VeriSign's iDefense. "'$ash' is the primary Russian actor attempting to sell MPack on the underground for about $1,000 for the complete MPack kit."

Also known as WebAttacker II, MPack dates back to October 2006 and accounted at that time for roughly 10 percent of Web-based attacks. According to iDefense, more than 10,000 domains in the recent rise of MPack attacks compromised some 80,000 unique IP addresses in Italy.

Verisign's iDefense maintains that it is likely that exploitation took place through the cPanel software that many Web hosting providers offer their customers as a way to manage their Web sites. This cPanel infection led to malicious iFrames being injected on the sites in question.

"MPack leverages multiple exploits, in a very controlled manner, to compromise vulnerable computers," Dunham explained. "Exploits range from the recent animated cursor [vulnerability] to QuickTime exploitation." The latest version of the MPack toolkit even includes code to exploit specific Microsoft vulnerabilities covered in several of the company's security bulletins.

The Payload

The well-known Torpig Trojan is one of the known payloads for MPack, VeriSign reported. The Torpig Trojan is tied closely to the Russian Business Network (RBN), through which many Internet-based attacks take place today.

The RBN has become a virtual safe house for attacks out of Saint Petersburg, Russia, responsible for phishing, child pornography, and other illicit operations, Dunham noted.

"MPack attacks experience high success, according to attack log files analyzed by VeriSign iDefense," Dunham concluded. "In just a few hours, more than 2,000 new victims reported to an MPack command and control Web site."