MPack Malware Leverages SSL for Secure Transmission

ALERT - SSL (Secure Socket Layer) is a protocol designed to provide encryption with minimal to no configuration, and has been used extensively to encrypt web communications through HTTPS (HTTP in SSL). Most security devices, including most firewalls, are not able to decrypt the traffic to see what is running inside SSL, and have little choice but to let the uninspected traffic pass.

With the rise of legitimate applications using SSL or HTTPS (HTTP in SSL), malware writers are also adopting SSL as another way to avoid detection.

A good example of malware using SSL is from a tool kit called MPack. MPack provides multiple Web browser exploits designed to compromise vulnerable computers with the goal of stealing bank account information like usernames and passwords, credit card numbers, and Social Security numbers. Once a vulnerable machine has been infected and data is stolen, the MPack malware utilizes SSL to encrypt the data to avoid detection when transmitting it back to the attacker.

Enterprises need to maintain good visibility into all traffic, including SSL, to enforce safe usage policies and mitigate security risks therein. Palo Alto Networks can inspect encrypted SSL traffic and has released a signature for the MPack malware in Threat Update 25.

Click here to view the InformationWeek article on the MPack tool kit.