ARP Spoofing Malware

Discussion in 'malware problems & news' started by Searching_ _ _, Aug 6, 2010.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    While not new News I had an interest in learning more about malware and MITM attacks.
    ARP Spoofing Malware - Virus(dot)org

    ARP Cache Poisoning Incident - Neil Carpenter's Blog

    C.I.S.R.T. ARP Poison Attacked

    Malware that use this technique:

    W32/Snow.a
    This is a parasitic virus that searches and infects Windows Portable Executable (PE) files that typically has the .EXE file extension.
    It appends a new section of viral code to the end of an infected file.

    W32.Arpiframe
    The worm then gathers the local subnet address, such as 192.168.1.x, and runs an ARP-poisoning attack on the local network to infect other computers. The attack uses WinPCap libraries to inject the following malicious IFRAME code into HTTP traffic of the local network:
    [hxxp://]1xxx4.8xxx1.cn/woya[REMOVED]

    PE_SNOW.A
    Trojan-Dropper.Win32.Agent.ajy
    Trojan.Win32.Pakes
    Trojan.Zlob
    Zlob is one that also attacks routers.

    The ones I looked at on MDL usually had VT results of 0-1/39-42 for their time of capture.

    Ways to mitigate the ARP attacks are to use static ARP entries for home users.
    Noscript for Firefox can be set to block Iframes on untrusted and trusted pages.

    Sure, there is Wireshark, but reading about Fiddler may help to find some malicious iframes. I'm new to this so we'll see.
     
    Last edited: Aug 6, 2010
Loading...
Thread Status:
Not open for further replies.