ARP poisoning is by no means a new trick when it comes to network attacks however it is seldom employed by your typical malware, which is why it caught my attention.
The malware detected as Troj/Sniffer-P is a configurable command line network attack tool which can be used (amongst other things) to inject HTML data (such as an IFRAME tag) into network packets. What makes this interesting is that the attack can be carried out from a third-party workstation by spoofing ARP packets.
During a regular network transaction to request a webpage, the following sequence of events takes place:
- Client issues an ARP request to obtain the web servers physical MAC address using the servers known IP address
- Client receives ARP reply and can now establish a connection to the server
- Client issues HTTP requests
- Server responds with HTTP responses
The Trojan attempts to interfere with this process by continually transmitting fake ARP replies onto the network with the intention of making the client believe the attack node is the web server.
This can be achieved because as soon as the client sends the ARP request there are several (fake) replies already in transit. The MAC address obtained by the client will not be that of the web server but of the attacking node. The client however is blissfully unaware and continues with the transaction.
Unbeknown to the client, the data is really being sent to the attack node which forwards it to the server acting as the "man in the middle". As the HTTP data returns via the established TCP/IP connection thru the attack node it is injected with some of the attackers own data.
This style of attack has the ability to bypass web content filtering at the gateway and offers a means of localised network propagation without needing to compromise the server.
The prevention of such attacks cannot rely on a single piece of security technology but instead should utilize a number of perimeter and end-point solutions to maximize coverage of the attack surface.