Last Updated: 2009-03-11 00:34:49 UTC
by Bojan Zdrnja (Version: 1)
So, first a short recap about ARP spoofing. ARP spoofing attacks happen on layer two – the Address Resolution Protocol maps IP addresses and MAC addresses, which is what is used to communicate in local subnets. ARP spoofing attacks are nothing new – they have been happening for years already. The basic idea of an ARP spoofing attack is for the attacker to spoof IP address <-> MAC address pair of the default gateway. This allows him to intercept (and, if needed modify) all outgoing traffic from that subnet. The attacker can also spoof the IP address <-> MAC address pair of a local server in which case he could monitor incoming traffic, but in this scenario that was not necessary.
The spoofing attack consists of the attacker sending ARP packets containing fake data to the target. In normal conditions the target machine will accept this and “believe” whatever the attacker is saying.
The ARP spoofing malware they used was relatively common, but still AV detection was miserable with major AV programs missing it (both compromised machines had up to date AV programs installed). In order to start the malware the attackers used a simple BAT script:
svchost.exe’s options are self explanatory – it uses the interface 0 (idx) and spoofs the IP address in the ip option. Finally it inserts whatever is in the insert option into every HTML page served.
Nice thing for the attacker is that the administrator of an attacked web site will never figure out what’s going on until he checks the ARP cache or monitors network traffic. The ARP cache can be checked with the arp command (arp –a on both Windows and Linux) – one should watch out for weird MAC addresses. It usually pays to check the OID owner because you don’t see Dell routers all that often as shown in the following Wireshark screenshot of ARP poisoning traffic:
There are various ways for defending against ARP spoofing. One can hard code MAC addresses of routers on servers (be careful with this as changes to the default gateway will stop your machines from talking to the Internet until you modify the hard coded address). I would recommend installation of Arpwatch, a nice and simple tool that monitors ARP traffic and alerts on attacks. Finally, Cisco (and others I presume) has features called DHCP Snooping and ARP inspection which can effectively stop ARP poisoning attacks. Sadly, I rarely see these features used, especially in internal network.
Regarding other malware I mentioned previously, the AV detection rates were similarly poor (in the mean time they improved). Particularly nasty was the Winlogon Notify hook package which simply “sniffs” all usernames/passwords of users logging in to the system (so password changes don’t help). This package has been around for ages (the source is public) and I was shocked how simple modifications made it “invisible” to those AV programs.