PandaLabs has discovered that as many as 350,000 web pages could be infected by Mpack, a malicious application that searches out vulnerabilities on computers accessing those web pages. If Mpack detects a vulnerability, it downloads the corresponding exploit.

The infection process starts with a hacker accessing a web page and adding an iframe reference pointing to the server with Mpack installed. If a user then visits one of these pages, the iframe executes the Mpack index. This then searches for vulnerabilities on the user's computer. If it
detects one, it downloads the corresponding exploit.

The exploit, once it reaches a computer, is run and compiles data about the infected computer (browser, operating system, etc.). This information is then sent to and stored on a server. PandaLabs has located 41 servers receiving this data. From these servers the cyber-crooks can generate statistics about the type of operating system or Web browser on affected systems or the number of infections in a given area. The new 0.90 version of Mpack is available for purchase on the web for $1000. The cyber-crooks even offer one year's free support. Hackers that want to update Mpack with new exploits can buy them for between $50 and $150 per exploit.

Hackers use a number of techniques to get users to visit the pages, including spam, using trick domains (e.g. gookle, instead of google,) or infecting pages that already receive numerous visits.
PandaLabs has published a complete study of Mpack available at: http://blogs.pandasoftware.com/blogs/images/PandaLabs/2007/05/11/MPack.pdf There is also further information in the PandaLabs blog.

All users that want to know whether their computers have been attacked by this or other malicious code can use TotalScan or NanoScan beta, the free, online solutions available at: http://www.infectedornot.com.