[unisog] Arp spoofing attack

Darden, Patrick S. darden at armc.org
Tue Apr 29 12:27:14 GMT 2008 

Classic mitm attack--but new to me is it's use in this kind of scripted
malware.  Very sophisticated.  Thanks for the heads up!!

--p

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org]On Behalf Of Russell Fulton
Sent: Tuesday, April 29, 2008 2:31 AM
To: UNIversity Security Operations Group
Subject: [unisog] Arp spoofing attack


Just a quick heads up.  We had an incident today that took much longer  
to resolve because no one immediately recognised the symptoms.  Here's  
hoping that if one of you get hit you will know what it is without  
having to work it out the hard way like we did.

Symptoms:

Service desk started getting reports of web pages with Chinese ads  
inserted in them.  It rapidly became apparent that just one chunk of  
our network ( a /20 block) was affected (first clue).   What confused  
the issue was that the initial reports all complained about pages on  
our main web site which cause us to misdirect our attention to the  
content management system.

Eventually I realised that the problem was much more wide spread than  
just our servers and that web pages from outside were being mangled as  
well.  My first reaction was some form of malware that was spreading  
within the /20 network or that some name server cache had been  
deliberately corrupted(It's capping week here ;) and this wasted more  
time.  Then I found out that all flavours on machines were affected:   
Macs, linux and multiple windows versions (second clue).

At this point I decided that it had to be something networks related.   
Parallel with this some users were sniffing the network from affected  
machines and noticed lots of spurious ARP traffic (final clue).  A few  
minutes poking with netdisco revealed one mac address with *lots* of  
IPs associated with it.  Disabling its switch port solved the problem.

If I had thought of arp spoofing at 10am in the morning when I first  
heard about it we could have dealt with the problem in a few minutes,  
as it was we wasted many man hours before the penny dropped.

The machine in question had just returned from a conference in China  
-- it was fully patched but had no AV.  It was a privately owned  
laptop on the network without AV in contravention of policy.  Sigh...   
Oh yes, a Japanese version of windows...

What happened:

The machine in question was infected with something that used arp  
spoofing to convince the router to send traffic for many addresses on  
the network to it rather than to the real machine.  It then mangled  
web pages by inserting a single line of java script at the start and  
then passed the traffic on to the intended recipient.

Cheers, Russell 
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list