MPack exploit kit creator speaks
In the interview, presented from multiple IRC conversations and edited/reordered for clarity, Lemos does a nice job of peeking behind the dark curtain of exploit writing and the lucrative underground market that exists for critical software vulnerabilities.
Some excerpts from the interview:
On acquiring exploits to fit into MPack:
For our pack, there are two main methods of receiving exploits: The first one is guys sending us any material they find in the wild, bought from others or received from others; the second one is analyzing and improving public reports and PoC (proof-of-concept code). We sometimes pay for exploits. An average price for a 0-day Internet Explorer flaw is US$10,000 in case of good exploitation.
On a possible link with WebAttacker (a similar exploit pack):
I know the WebAttacker team. We are friends. I was talking to WebAttacker's manager recently and he told me that they are going to start the real WebAttacker 2 pack in the near future. Referring to MPack as WebAttacker 2 is a mistake. They are two different projects.
On protecting against MPack exploits:
I would advise you to use the Opera browser with scripts and plug-ins disabled in order not to be caught by the MPack someday.
The entire two-page interview over at SecurityFocus is worth reading.
[ ALSO SEE: MPack exploit kit used in Italian browser attacks ]