About Me

Zhu Cheng

Zhu Cheng

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Web Page Code Injection via ARP Spoofing

Tuesday, September 18, 2007 at 8:09am by Zhu Cheng
Zhu Cheng

I’ve found that more and more Trojans/worms/viruses/hackers are using ARP spoofing to inject miscellaneous code into Web pages. They’re able to do this using the following technique:
1)     An attacker scans a subnet, finds a vulnerable host, and hacks into it.
2)     The attacker installs a Trojan on the victim’s host.
3)     The Trojan sends spoofed ARP packets to gateways and other computers on the same subnet.
4)     When the other hosts on the subnet receive the spoofed ARP packets, they begin routing traffic through the victim’s host.
Here is a diagram depicting the network before ARP spoofing:
[gateway] <-> [host]
Here is a diagram depicting the network after ARP spoofing:
[gateway] <-> [victim's host] <-> [host]
5)     The Trojan software installed on the victim’s host relays traffic to/from hosts on the subnet and inserts malicious code into HTTP responses. The malicious code injected into HTTP responses is designed to exploit Internet Explorer and to download and install Trojan software. The installed Trojan software might repeat the same process, further penetrating the network.

So, although your Web server may not have been hacked, your users might still fall victim to browser-based attacks carried out by the injection of malicious code via ARP spoofing. The best way to protect against this is to configure static ARP table entries for gateway devices on all hosts. I recommend that all network and server administrators do this.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (2)

  • David October 5, 2007 10:31AM

    While you can prevent ARP spoofing by the use of static, non-changing ARP entries (each entry maps a MAC address to corresponding IP address), this is not practical on a large network, due to the large overhead of keeping ARP tables up to date. Therefore another method, such as DHCP Snooping, can be utilised on larger networks. Via DHCP, the network device keeps a record of the MAC addresses that are connected to each port, so it can readily detect if a spoofed ARP has been received. This method is implemented on networking equipment by vendors such as Cisco, Extreme Networks and Allied Telesis. – Source : http://en.wikipedia.org/wiki/ARP_spoofing

    Reply
  • Patrick Nolan September 18, 2007 11:32AM

    Hmmm, Please publish the names/links of the malware analysis that McAfee has published that detail the use of ARP the way you describe. This should be a big news item, but you’ve published no details for IDS signature development etc.

    Nice work though!

    Regards,

    Pat

    Reply