Recently I’ve been involved in two incidents which had exactly the same modus operandi. The attackers used ARP spoofing to inject malicious JavaScript into content served off other web sites. The biggest problem with such attacks is that it can be very difficult to analyze them unless you remember to check layer two network traffic. Such attacks are very covert and put in danger all web sites in the same subnet. |
Bojan 384 Posts ISC Handler |
Subscribe |
Mar 11th 2009 1 decade ago |
"In order to start the malware the attackers used a simple BAT script" ...
My assumption: the svchost.exe being called is the legitimate one that comes with Windows. Correct? I can't seem to find related reference documentation on Microsoft that clearly and completely explains svchost.exe's feature set. Can someone point me to this reference material please? http://social.msdn.microsoft.com/Search/en-US/?query=svchost.exe%20spoofmode&resultsLang=en-GB&ac=8 No Results Found |
Anonymous |
Quote |
Mar 11th 2009 1 decade ago |
I'm gathering svchost.exe was the malware.
|
Anonymous |
Quote |
Mar 11th 2009 1 decade ago |
Hi Bart. Yes, svchost.exe was the malware they dropped on the system (sorry, I should have been probably more clear about that).
|
Bojan 384 Posts ISC Handler |
Quote |
Mar 11th 2009 1 decade ago |
Thanks Bojan.
|
Anonymous |
Quote |
Mar 11th 2009 1 decade ago |
Fasinating, really. Is the tool able to follow the TCP stream and read the HTTP header ? If it doesn't it's likely to add the link at the end of each frame instead of at the end of each HTML page. The result will probably be corrupted binaries (including images) and pages and that could help detection. Also, Arpwatch is, apparently, *nix only while this attack is apparently based on a windows system. What could be appropriate defenses for co-hosted windows machines, then ?
|
Anonymous |
Quote |
Mar 11th 2009 1 decade ago |
Stephane, yes the tool is able to read the HTTP header so it injected the malicious script tag only into HTML pages. The malicious script tag was inserted at the beginning of HTML pages.
Regarding arpwatch, you are right that this is a *nix only tool. I'm not sure about similar Windows tools -- if we get some submissions from our readers I will update the diary. The best defense are those special features, if the network gear supports them. |
Bojan 384 Posts ISC Handler |
Quote |
Mar 11th 2009 1 decade ago |
Thanks for the details, Bojan. Please update the diary if you hear about a windows tool that would do the same thing as arpwatch. As a result of your article, I'm writing such a tool right now (using winPcap) but I'd rather not reinvent the wheel :P
|
Bojan 16 Posts |
Quote |
Mar 11th 2009 1 decade ago |
Stephane, will do. If you manage to finish the tool let us know, I'm sure other readers will be interested in it as well.
|
Bojan 384 Posts ISC Handler |
Quote |
Mar 11th 2009 1 decade ago |
There is an alternative program to arpwatch for windows - it is called ARP Monitor. It's in beta stage from early 2008 till now, but is usable and have a few bugs that don't affect it's performance. This program has an English interface though the author of this program is from Russia. The program uses winpcap, so it should be downloaded and installed separately for program to work. Here is a link to the author's blog (sorry, it's in Russian) http://blog.kmint21.com/2008/03/12/arp-monitor/
The direct link to the program: http://blog.kmint21.com/kmint21-arp-monitor.exe btw, in one of his posts that is dated nearly a year ago author of this program says that he is managed to catch with this program virus with the similar behavior... |
ArD 6 Posts |
Quote |
Mar 12th 2009 1 decade ago |
Small update to my previous post - the updated version of ARP Monitor tool is available from http://binaryplant.com/ The new version includes some bug fixes to bugs that were discovered in first beta.
|
ArD 6 Posts |
Quote |
Mar 12th 2009 1 decade ago |
A must read about layer 2 atacks is the excellent book: Lan Switch Security - by Eric Vyncke (author of ETHLOAD for those who remember DOS and packet drivers ;)
A free/simple Win32 ARP monitor is winarpwatch (or warpwatch) which can be downloaded from http://sid.rstack.org/arp-sk/ or from http://www.securityfocus.com/data/tools/warpwatch.zip (same file). An advanced/shareware Win32 ARP spoofing detection tool appears to be XArp. A 15-day evaluation version can be downloaded here: http://www.chrismc.de/development/xarp/index.html (my source for both apps is a post by EGeezer in this thread: http://www.dslreports.com/forum/remark,15610372~start=20 ). |
Erik van Straten 122 Posts |
Quote |
Mar 13th 2009 1 decade ago |
Cisco (or any other vendor's) DHCP Snooping and Dynamic ARP Inspection (DAI) are useless here. DAI requires DHCP Snooping to function. DHCP Snooping of course inmplies that you're using DHCP to assign you IPs. Who's using DHCP to assign server IPs? Few if any. Sysadmins hardcode server IPs. No remotely knowledge admin would put a DHCP pool in a server subnet for clients to use. So essentially DAI can't help here because DHCP isn't used, preventing DHCP Snooping from seeding DAI with data. Discussing the merits of using static DHCP assignments for servers is another topic for another day.
The best way to mitigate this problem in a server farm situation is to use an ARP watching tool like you and others suggested. If the sysadmin and netadmin are one and the same then the static ARP entries on the upstream router would be doable but would be more administratively intensive. If one was going to go that far then they could just as easily put that static ARP entry on the access switch and turn on DAI. ARP Watch is easier I imagine. |
Anonymous |
Quote |
Mar 29th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!