ARP Spoofing Malware

Discussion in 'malware problems & news' started by Searching_ _ _, Aug 6, 2010.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Jan 2, 2008
    While not new News I had an interest in learning more about malware and MITM attacks.
    ARP Spoofing Malware - Virus(dot)org

    ARP Cache Poisoning Incident - Neil Carpenter's Blog

    C.I.S.R.T. ARP Poison Attacked

    Malware that use this technique:

    This is a parasitic virus that searches and infects Windows Portable Executable (PE) files that typically has the .EXE file extension.
    It appends a new section of viral code to the end of an infected file.

    The worm then gathers the local subnet address, such as 192.168.1.x, and runs an ARP-poisoning attack on the local network to infect other computers. The attack uses WinPCap libraries to inject the following malicious IFRAME code into HTTP traffic of the local network:

    Zlob is one that also attacks routers.

    The ones I looked at on MDL usually had VT results of 0-1/39-42 for their time of capture.

    Ways to mitigate the ARP attacks are to use static ARP entries for home users.
    Noscript for Firefox can be set to block Iframes on untrusted and trusted pages.

    Sure, there is Wireshark, but reading about Fiddler may help to find some malicious iframes. I'm new to this so we'll see.
    Last edited: Aug 6, 2010
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.