Wednesday, March 11, 2009

ARP spoofing attacks on web sites

SANS reports attackers are using ARP spoofing to inject malicious JavaScript into content served off other web sites. Using ARP to inject packets is common in cracking wifi keys. In this attack ARP is used to send packets containing fake data to the target.
This is exactly what happened in both incidents I was involved in. A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed).

The ARP spoofing malware they used was relatively common, but still AV detection was miserable with major AV programs missing it (both compromised machines had up to date AV programs installed).

This is another example of how we cannot depend on antivirus programs to protect against all threats.



Post a Comment

<< Home