Poor detection of the MPack data-theft toolkit by anti-virus software has allowed it to run riot on the Internet, a new analysis from Finjan has claimed.
The company says that the malware system has been used to successfully infect 500,000 consumer and corporate users since it appeared some months ago, achieving unusually high infection rates of 16 percent from an attack profile of 3.1 million web-borne attempts.
To make matters worse, as of 29 July 2007, many of the best-known security programs still couldn’t detect software downloaded by it, despite its workings having been known about since as far back as October 2006. Names on the list tested by Finjan that failed to find malware called by the program included Sophos, AVG, Microsoft, Kaspersky, and McAfee. Of the top security brands, only Symantec noticed MPack infection, identifying it generically as "Downloader.Trojan."
In June, the program was blamed for unleashing a torrent of malware after hacking 10,000 websites, mostly in Italy.
MPack has a number of features that mark it out from the malware crowd. It has a proven ability to inject code on to legitimate websites, compromising them for unsuspecting visitors. To this end, it can also detect which browser and browser version a visitor is using, serving a custom exploit depending on what it finds.
Finjan’s latest report on the program identifies a number of stealth features that make it nearly impossible to detect while it is attempting to steal data, including the use of rootkit technology, encryption for all its data communication activities, and the ability to wipe traces of itself once it has finished executing its crime. This has been compounded by poor detection rates among the security programs it is likely to encounter on user PCs.