I think I now understand how 8v8.biz and similar nasties
(31joy.com, rb.vg, 9gg.biz) which have affected my school over
the last few months are able to cause such chaos on the LAN.
It is because they are using ARP spoofing:
http://en.wikipedia.org/wiki/ARP_spoofing
This is a 'man-in-the-middle' attack, and totally explains
the behaviour I've seen with this malware.

I was alerted to this by these forum postings (translated from Dutch):
http://translate.google.com/translate?hl=en&sl=nl&u=http://gathering.tweakers.net/forum/list_messages/1268265&sa=X&oi=translate&resnum=9&ct=result&prev=/search%3Fq%3D%25228v8.biz%2522%26start%3D20%26hl%3Den%26newwindow%3D1%26sa%3DN

I thought that this is sufficiently noteworthy to merit a separate
posting. I've searched the CastleCops forums and haven't found
any previous reports of malware using ARP spoofing... which
does seem to be quite an advanced technique.

I've downloaded WinARPwatch from the mirror at
http://sid.rstack.org/arp-sk/
Unfortunately, from the point of view of finding out more
information, the problem has currently gone away on our LAN.
(Obviously, that's fortunate in most other respects!) But if it is
indeed ARP spoofing, WinARPwatch will provide immediate
notification when an infected machine comes online and starts
fooling nearby machines into connecting via it.

I'll run Winarpwatch on my machine from now on, and will keep
you posted.

RFC

Why do you suspect ARP spoofing from what you saw?

If you're right that is quite an unusual thing for malware to attempt.

Hi tacktick,

Sure, I don't want to raise a false alarm or set people off on a
wild goose chase. But here's the observed behaviour which
makes me think it is likely to be ARP spoofing:

i) Multiple machines simultaneously start including a malicious
IFRAME at the top of webpages they access.

ii) The problem disappears as quickly as it appears (again,
totally simultaneously for multiple machines). Later, it
reappears again. This cycle goes on for several days.

iii) Machines which are declared clean by multiple AV
products, and by manual methods (SysInternals' ProcessExplorer,
AutoRuns, RootkitRevealer,....) still suffer from the IFRAME.

Here are all the possible scenarios I can think of to
explain the presence of the IFRAME:

A) My machine is infected. I believe that (i) and (ii) rule
out this explanation.

B) The gateway machine is infected. That's an obvious
explanation.... but why would we observe the cycle
of (i) and (ii) ?

C) Other machine(s) on the LAN are infected, and using
ARP spoofing to perform man-in-the-middle. This completely
explains the observed behaviour, in my view. Uninfected
machines on the LAN are afflicted by the IFRAME when the
infected machines are switched on.... then the problem
disappears when those machines are powered down.

Here's some other support for the theory:
*Multiple internet postings in Chinese claiming that 8v8.biz
uses ARP spoofing:
http://www.google.com/search?hl=en&newwindow=1&q=%228v8.biz%22+arp&btnG=Search
For example, from ZDNET (Google translated):
http://www.google.com/translate?u=http%3A%2F%2Fnet.zdnet.com.cn%2Fnetwork_security_zone%2F2008%2F0111%2F705038.shtml&langpair=zh%7Cen&hl=en&ie=UTF8

*Multiple postings in English documenting exactly the
same behaviour I have described above. For example:
http://www.computing.net/security/wwwboard/forum/22121.html
http://answers.yahoo.com/question/index?qid=20071231042106AA6kv0S

*Our sysadmins informed me with 31joy.com that this was
gateway machine spoofing by other PCs on the LAN....
although they didn't know the specific mechanism.
The problem has been resolved on a number of occasions
by them powering off infected (non-gateway) PCs.

I've seen this behaviour with the 31joy.com/rb.vg malware
back in October, with the 9gg.biz malware in December, and
the current 8v8.biz malware. They've all behaved in exactly
the same way. I've had a lot of experience dealing with virus
infested machines here - but this is something different. It
was the seemingly intractable nature of the 31joy.com
infestation back in October which prompted me to register
with CastleCops.

Yes, if it's really ARP spoofing, it's a definite upping of the
ante! I guess AV products will have to
include Winarpwatch-like functionality in the future.

Regards,
RFC

Oh, here we go:
http://www.websense.com/securitylabs/blog/blog.php?BlogID=166

Chapter and verse on this new class of malware and how it works,
from Websense Security Labs' blog. They've partially redacted the
malware URL, but it's obviously the rb.vg URL.

So it looks like this behaviour is definitely because of ARP spoofing.

RFC

Very interesting thanks.
The websense article was enlightening.
I've been out of the loop for a few months and had no idea malware was up to this.
A bit scary.

You're welcome. Yes, it's definitely scary. Still, at
least now I properly understand what is going on...
after 3 months!

If you're coming to this thread from a Google search
for "8v8.biz", check this thread for advice on dealing
with this malware:

/t212462-Bloodhound_Exploit_117_being_served_from_8v8_biz.html

I've now confirmed definitively that 8v8.biz is using ARP spoofing.
Someone switched on an infected machine on our LAN this
morning, and WinARPwatch's icon in my icontray started flashing.
And the IFRAME started appearing in webpages accessed on my
machine.

I've attached a screenshot of WinARPWatch's output - with some
information redacted (probably unnecessarily because it's all
private IPs, but, hey).
The spoofing starts at 08:52 hours. The IP of the gateway
machine is 10.66.xx.1. The machine whose correct IP is
10.66.xx.59 is spoofing it. The MAC address of that machine is
xxxx:5E:E0. You'll notice that when the spoofing starts, that
machine sends out ARP packets for both IPs.

I'd like to note a further aspect of this malware's modus operandi,
which I noticed a long time ago, but haven't previously mentioned.
It's selective about which pages it inserts the IFRAME into. For
example, google.com is IFRAME-free. On the other hand, Bank of
China's website (www.boc.cn) has the IFRAME.

I've realized that the image attached to my last posting is only
viewable by people logged into CastleCops. So for readers who
don't have/want a login, here is the important content of that
image in text form:

Time; Action; IP Address; DNS Name; MAC Address; Manufacturer; ARP Type
blah blah blah blah blah blah blah blah blah
blah blah blah blah blah blah blah blah blah
blah blah blah blah blah blah blah blah blah
08:52:45; Added; 10.66.xx.59; WWW-8xxxxxx; xx:xx:xx:xx:5E:E0; N/A; Dynamic
08:52:53; HAS CHANGED!; 10.66.xx.1; N/A; xx:xx:xx:xx:5E:E0; N/A; Dynamic

The "HAS CHANGED!" message from WinArpWatch refers
to the fact that the MAC address for 10.66.xx.1 (the gateway
IP address) has changed, rather than to the fact that more
than one IP is associated with the MAC address xxxx:5E:E0.