While not new News I had an interest in learning more about malware and MITM attacks.
ARP Spoofing Malware - Virus(dot)org
Originally Posted by May 13, 09
In this instance the malware would direct the victim to a page that exploited MS07-017, better known as the Animated Cusor Vulnerability. Now this wasn't the first time ARP Spoofing has been used by malware, for example W32/Snow.a used it to attempt a denial of service attack during early 2006. More recently, in October 2007 the Chinese Internet Security Response Team (C.I.S.R.T) reported that they suspected that a similar attack had been used to compromise user session to their web sites.
The actual method of attack (by W32.Arpiframe) is the same (as above), but what it does in terms of the URLs injected within the IFRAME is different and the exploits used to compromise user systems, which implies that there a different variants floating about that are being updated and maintained to avoid detection by Anti-Virus software.
ARP Spoofing is an attack that is often underestimated, yet if successful has far reaching consequences. ARP Spoofing Malware is a growing problem and malware Authors are beginning to implement this technique to steal information and inject malicious traffic. So don't expect to see the threat go away.
ARP Cache Poisoning Incident - Neil Carpenter's Blog
At first, we thought this was being injected by a browser helper object or something similar on the client machine. There was no indication of anything malicious running on the client machine based on the data we looked at. We took a network trace from the client machine and saw that the iframe was being returned across the network. This would indicate that either the attack was originating in an NDIS driver of some sort (*) or that it was originating on his network.
(*) My reasoning here is that Netmon plugs into the network stack fairly low. In general terms, it looks like this:
IE --> Winsock --> TDI --> TCPIP.SYS --> NDIS --> Hardware
The Netmon Agent sits between TCPIP.SYS and NDIS on NDIS’s upper edge. For something to show up in a network capture, it would have to originate either in NDIS or on the network.
C.I.S.R.T. ARP Poison Attacked
We are very sorry that when sometimes visiting our some pages, malicious codes are inserted. We think it doesn't mean that our website has been compromised. It's maybe due to ARP attack. We have informed our webserver provider to help us check whether it's due to ARP attack or not.
The malicious codes are inserted into the top of some pages.
<iframe src=http://<removed>.htm width=0 height=0 frameborder=0></iframe>
Malware that use this technique:
This is a parasitic virus that searches and infects Windows Portable Executable (PE) files that typically has the .EXE file extension.
It appends a new section of viral code to the end of an infected file.
The worm then gathers the local subnet address, such as 192.168.1.x, and runs an ARP-poisoning attack on the local network to infect other computers. The attack uses WinPCap libraries to inject the following malicious IFRAME code into HTTP traffic of the local network:
Zlob is one that also attacks routers.
The ones I looked at on MDL usually had VT results of 0-1/39-42 for their time of capture.
Ways to mitigate the ARP attacks are to use static ARP entries for home users.
Noscript for Firefox can be set to block Iframes on untrusted and trusted pages.
Sure, there is Wireshark, but reading about Fiddler may help to find some malicious iframes. I'm new to this so we'll see.