Icepack infects computers through the following process: the application accesses a Web page to which it adds an iframe reference pointing to the server where the application is installed. The main innovation in Icepack is that the tool adds the iframe. Previous applications like Mpack needed a hacker to manually access the Web pages in which to insert it.
When a user visits one of these malformed pages, the iframe activates Icepack, which looks for vulnerabilities on the user's computer. If it finds one, it will download the exploit for this vulnerability to the computer. An important feature of Icepack is that it uses exploits corresponding to the latest vulnerabilities to appear. The reason is that as they are more recent, users are less likely to have updated their computers to resolve these security flaws.
From then on, the cyber-crook can download any type of malware to the affected computers. Given the cost of the tool, it is most likely that the type of malware downloaded is the malware most frequently used to steal confidential data, which allows them to carry out online fraud (Trojans, spyware, bots, etc.).
"This tool is very similar to other kits for installing malware through exploits, such as Mpack, but certain improvements have been incorporated in Icepack compared to Mpack. It is a logical evolution, as these applications move a significant amount of money and therefore, criminals try to monopolize the market by offering more powerful products," explains Luis Corrons, Technical Director of PandaLabs.
Another innovation of Icepack is that it combines an ftps checker and an iframer. The first helps cyber-crooks to exploit the information about the FTP accounts they have stolen from affected computers. The data from these accounts is passed through the checker to verify if it is valid. The valid data will be passed to the iframe, which will insert the iframe pointing to Icepack in the account. By doing this, the application can start its "lifecycle" again.
