Poor detection of the MPack data-theft toolkit by anti-virus software has allowed it to run riot on the Internet, a new analysis from Finjan has claimed.

The company says that the malware system has been used to successfully infect 500,000 consumer and corporate users since it appeared some months ago, achieving unusually high infection rates of 16 percent from an attack profile of 3.1 million web-borne attempts.

To make matters worse, as of 29 July 2007, many of the best-known security programs still couldn’t detect software downloaded by it, despite its workings having been known about since as far back as October 2006. Names on the list tested by Finjan that failed to find malware called by the program included Sophos, AVG, Microsoft, Kaspersky, and McAfee. Of the top security brands, only Symantec noticed MPack infection, identifying it generically as "Downloader.Trojan."

In June, the program was blamed for unleashing a torrent of malware after hacking 10,000 websites, mostly in Italy.

MPack has a number of features that mark it out from the malware crowd. It has a proven ability to inject code on to legitimate websites, compromising them for unsuspecting visitors. To this end, it can also detect which browser and browser version a visitor is using, serving a custom exploit depending on what it finds.

Finjan’s latest report on the program identifies a number of stealth features that make it nearly impossible to detect while it is attempting to steal data, including the use of rootkit technology, encryption for all its data communication activities, and the ability to wipe traces of itself once it has finished executing its crime. This has been compounded by poor detection rates among the security programs it is likely to encounter on user PCs.

MPack’s intention is simply to steal as much banking-related or other data as it can, of which Finjan provides screenshot-based analysis in the report to demonstrate its effectiveness. The authors are in no doubt that this is crimeware that works as intended.

“As there are no external indications that the machine has been infected, there is no reason why users should not continue to use the infected machine,” the report says.

“As attacks become more evasive and obfuscated, security companies find it more difficult to put their hands on malicious code, analyse it in their labs and create a signature for it. Anti-virus, reputation-based services and URL filtering solutions are potentially limited in their ability to cope with evasive attacks, which appear once and then vanish,” it concludes.

As with a lot of the latest and nastiest malware, MPack is believed to originate in Russia, from where it has been sold on to criminals worldwide. Finjan claims to have identified 58 criminals using the software in the latest round of successful attacks.

One of the companies listed by Finjan as not detecting MPack, Sophos, disputed the characterisation of its product. "The files that the kit creates (malicious web pages) are detected by Sophos. Most commonly these are a variant of Mal/ObfJS-xxx. It should be remembered that users and companies need to be defended against the files that the kit creates, not the kit itself (which they are less than likely to encounter)," commented Graham Cluley of Sophos.

"Basically though if someone is running anti-virus on their web server and they are compromised and someone loads Mpack onto their machine, some components would get detected by Sophos, and they would notice," he said.