[unisog] Arp spoofing attack

Chris Keladis ckeladis at gmail.com
Tue Apr 29 21:43:19 GMT 2008

Hi Russell,

Do you have the name of the malware (from an A/V scan), or better yet
a sample for analysis?



On Tue, Apr 29, 2008 at 4:31 PM, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Just a quick heads up.  We had an incident today that took much longer
>  to resolve because no one immediately recognised the symptoms.  Here's
>  hoping that if one of you get hit you will know what it is without
>  having to work it out the hard way like we did.
>  Symptoms:
>  Service desk started getting reports of web pages with Chinese ads
>  inserted in them.  It rapidly became apparent that just one chunk of
>  our network ( a /20 block) was affected (first clue).   What confused
>  the issue was that the initial reports all complained about pages on
>  our main web site which cause us to misdirect our attention to the
>  content management system.
>  Eventually I realised that the problem was much more wide spread than
>  just our servers and that web pages from outside were being mangled as
>  well.  My first reaction was some form of malware that was spreading
>  within the /20 network or that some name server cache had been
>  deliberately corrupted(It's capping week here ;) and this wasted more
>  time.  Then I found out that all flavours on machines were affected:
>  Macs, linux and multiple windows versions (second clue).
>  At this point I decided that it had to be something networks related.
>  Parallel with this some users were sniffing the network from affected
>  machines and noticed lots of spurious ARP traffic (final clue).  A few
>  minutes poking with netdisco revealed one mac address with *lots* of
>  IPs associated with it.  Disabling its switch port solved the problem.
>  If I had thought of arp spoofing at 10am in the morning when I first
>  heard about it we could have dealt with the problem in a few minutes,
>  as it was we wasted many man hours before the penny dropped.
>  The machine in question had just returned from a conference in China
>  -- it was fully patched but had no AV.  It was a privately owned
>  laptop on the network without AV in contravention of policy.  Sigh...
>  Oh yes, a Japanese version of windows...
>  What happened:
>  The machine in question was infected with something that used arp
>  spoofing to convince the router to send traffic for many addresses on
>  the network to it rather than to the real machine.  It then mangled
>  web pages by inserting a single line of java script at the start and
>  then passed the traffic on to the intended recipient.
>  Cheers, Russell
>  _______________________________________________
>  unisog mailing list
>  unisog at lists.dshield.org
>  https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list