Exploitation Kits Revealed - Mpack

This research paper is divided into two basic sections. Section 1 describes the MPack exploitation kit which has made a big splash in the security world recently. This involves an analysis of how MPack works including how it infects a user's PC, the look and feel of its payload and the evasion techniques it uses to hide its presence from Intrusion Detection Systems.

Following this, the author sets out how to respond to a sample MPack attack by using the incident response process. This covers how to identify, counter, and eliminate the threat using a variety of approaches & techniques. The analysis is performed without access to the MPack source code to reflect real world circumstances. The second section steps back from the specific technical aspects of MPack to set out a basic primer for IT staff to handle an MPack attack. By extension, techniques discussed here may be used to investigate other similar attacks. The analysis is structured using the SANS PICERL methodology and covers: Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned.