Slashdot Mirror
Chinese Security Site Under New Kind of Attack
SkiifGeek writes "The main site for the Chinese Internet Security Response Team (CISRT) has been serving up infrequent attacks against site visitors through the use of an injected IFRAME tag that attempts to download and install numerous pieces of malicious software. While the source of the attack has yet to be identified, suspicion is that it might be an ARP attack being hosted by the CISRT's hosting provider. Rather than a straight-up infection attempt against all site visitors (as was the case with the Bank of India hack), it is an interesting evolution to see intermittent attack attempts against site visitors."
end the madness now, leave Iraq, kick the idiot bastard from the whitehouse.
Smile, don't click...
We are very sorry that when sometimes visiting our some pages, malicious codes are inserted. We think it doesn't mean that our website has been compromised. It's maybe due to ARP attack. We have informed our webserver provider to help us check whether it's due to ARP attack or not.
Ummmm... I think if malicious code is inserted into your site, it's been compromised.
. o O ( TwO hEaDs ArE mOrE tHaN oNe... )
Does anyone understand why such an attack would be launched targeting a security site with a userbase that probably won't be too vulnerable to an IE-specific well-known and detected exploit?
If this really is an ARP-spoofing based attack all other sites in their providers location ought to be vulnerable too and would make better targets, don't you think?
By the way: what's the point in occasinally inserting the attack code (it will get detected sooner or later, no matter how often it's inserted, 100% of pageviews over 2 days would probably be better than 10% over a week)?
"it is an interesting evolution"
Yes, if by "interesting" you mean "annoying". And by "evolution" you mean "I wish all malware creators would curl up in a corner and die."
SIG: TAKE OFF EVERY 'CAPTAIN'!!
Getting the "Chinese Internet Security Response Team" website to deliver malware. Way to go.
I have excellent Karma and I am not afraid to Troll it.
I've seen this before. It was a few years ago and I can't remember where, but there was a discussion on this very topic at some point.
This is a first post.
Although there are comments above this one, those ones are spoofed and therefore don't count.
I could just wait till the next story is posted, but I don't want to waste my time doing that.
I'm going outside now.
It was one of the main reasons I argued against using them originally to clients 8 years ago.
now, AJAX... hehehe
It shouldn't come as a shocker that attackers are trying to re-route traffic from legitimate sites to illegitimate ones. What's odd is, ARP spoofing can be curtailed by static ARP addressing and the network administrators of that netblock should be able to stop it outright or at minimum isolate the traffic. This is nothing more than a man in the middle attack and I've always wondered when someone was going to try it on a large scale... Guess I got my answer. Imagine this for a second though and the ramifications of it... Google, well known for huge amounts of servers dispersed throughout the world...
Attacker on GoogleB farm's network --> man in the middle (for an hour a month) --> undetected --> redirect to malware cocktail site Visitors --> replicated Google --> view infected page
Technically its possible provided the MITM attacker is on the same network, the network engineers didn't mitigate against it, someone is really determined.
We've all (hopefully all of us) have heard of the "Storm" botnet. Its not an exaggeration to think of someone getting their act together and creating something on this level of an attack vector. The question is _when_ will it happen. Who knows for all you know Slashdot was loaded with a cocktail of malware when you visited this site. Hope people get a clue and keep their machines clean. There's not silver bullet solution when an attacker is 1) skillful enough 2) undetectable nowadays 3) has major motivation (finance).
Infiltrated dot Net
I drove my new car out of the sales yard without looking and got cleaned up by a truck, obviously it's the car's fault.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
The Internet Immolation Server has actually become more secure, with few, if any, bad security holes found in the last two years. However, this does not hinder the coder to develop secure software, and anything that plugs into IIS needs to be as secure as IIS.
The Internet Exploder however - well, it's reputation is well ahead of any statistics, as my de-wormed Windows boxen demonstrate.
hehehe
I've since moved to a Hong Kong server running BSD/Apache. Much cheaper, I get an actual control panel, and I'm not subject to the ridiculous requirements of the ICP permit. You know what you have to go through to get one of those for a business? Insane! And don't even mention that you're a foreigner, they go apeshit.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Guess what, you insufferable nincompoops? Our government is itself the product of a market system. Cities like New York, London, and San Francisco are successful precisely *because* of their enormous governments--they compete for capital, talent, and prestige against cities with small, ineffectual governments that are unable to effectively lure and corral said capital, talent, and prestige. And as goes the city, so go city-states and nations: Somalia, being a libertarian paradise, is a rather unpleasant place to live for non-ideologues. Somalians, those who can, vote with their feet and leave.
Now go suckle Ayn Rand's rotten tits some more and leave the rest of us alone, you stupid fucking Paultards.
you tree-hugging, hippie.
What about running a nix box using firefox, would you still have the problem of aquiring
these malwares on your pc??? If this is not the case, then what about the same thing but inside a vmware install??? would it not curtail the threat while browsing the internet?
http://www.infiltrated.net/scripts/dsphunxion.sh
http://www.infiltrated.net/scripts/dsphunxion.output
The concept was a pseudo heuristic worm to be download via vuln on a Linux box. Caveats... Surfer would have to be root... Could be re-written to exploit something else to gain root though. Someone with modsecurity skills could do a re-write based on header information and redirect Linux boxes to their appropriate pages to download and exploit it though. Again, its theory and concept based
Infiltrated dot Net
This is a common exploit -- use dl() to dynamically load a .so into PHP which allows arbitrary insertion of strings into returned webpages -- allows one to set a header/footer to be returned in any future pages served by that process. Search the internet for "flame.so"
You people modded someone down for postings facts from a respected site for security on all platforms that you cannot dispute, which is quite lame. Shame on you losers here at slashdot is about all a body can state. I will add on SQL Server 2005 as well (another 0 unpatched flaw bearing Microsoft product which is often used in combination with IIS & Windows Server 2k3):
SQLServer 2005 @ SECUNIA:
http://secunia.com/product/6782/
Affected By 0 Secunia advisories
Unpatched 0% (0 of 0 Secunia advisories)
ARP attacks against websites like this are relatively uncommon but fairly easy to do. ISC (isc.sans.org) did a write-up not too long ago where someone's customer was attacked like this. Due to a lack of switch security and clients not using static ARP tables etc. this attack will exceed pretty frequently when hosts are on the same subnet/VLAN. I'm not sure the CSIRT website gets too much traffic to begin with, definitely more after being slashdotted. I don't think saying that their user-base doesn't use IE or is fully patched is accurate. Besides, from an attacker's point of view: who cares. It's hit or miss..and nothing happens when they miss. On top of that, who says they aren't arp spoofing this into every host and webserver on the network there? CSIRT might just be 1 of 100. Btw the first exe is pulled from the domain mentioned which then pulls a second file (100.exe) from another domain. It appears to be a password stealer. What a sad bunch of people doing all this crap.
I know another site who got EXACTLY this problem (iframes in the code, linking to malware), this was because of a worm exploiting vulnerabilities in php scripts, i wouldn't be surprised if they got hax0red and tried to say "hey it's ARP poisoning, another server got owned, not us!" what a shaaaame, they got pwn3d that's it, you can be sure.
for linking to a page that may try to download trojans to my computer.
You know you've lost when you can't trust your OS to run user apps and you think the VM will save you.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
i think maybe this is a part of CISRT's trick to spread viruses. as a result more site visitors will look after them for help. and maybe the chinise government didnt pay salary for the employees at CISRT, and they use this attack to take revenge.
I think this attack cause by programming error. The program not secure, non-malicious problems. The proggramming flaw involve synchronization. The time-of-check to time-of-use (TOCTTOU) flaw concern mediation that is perform with a "bait and switch" in middle.
Nice tag guys: thatswhatyagetforalltheleadpaint. *Someone* is a little bitter over recent Chinese cyber attacks, not naming countries or anything.
-BMojo
I just noticed a day ago that a lot of html files I had stored on a usb hdd (my ipod) had had a line introduced, an iframe going to chinaons.com with some garble after it that might be Chinese. It was really disconcerting. Not just because of the line which was easily removed, but because Virus Buster would DELETE the files.
I would really like to be able to make certain folders on my ipod read-only password protected when I plug it in, so I know this isn't happening.
My point was still just using the snapshot ability to overwrite the previous os install after maybe 2 days, seeing as a snapshot takes about 15 minutes to restore, you could do a snapshot after the full install+upgrades etc.... then use that as your base for a malware free os, and after 2 days usage, wether you have malware or not, refresh os so to speak.
I know this philosophy of using vmware may not be the original intent for its deployment, but
short of creating your own os to be 100% certain that no malware can be installed, even linux can apparently get owned, so its not the os, its the usage of apps that make it insecure.
We can't stop using our apps, so it will be up to something like vmware (for now) to help us, no?
My hats off to you, if you were the one to write this code, got to say,
I know when I am in the presence of greatness....again if you were the one to write the code.
My compliments on the actual proof of concept though, beautiful!
Care to elaborate on what your stem would be for accomplishing further steps, as the person
accessing the page may not really have root, would there be a way to own the machine regardless
of root access, maybe using a redirect to a process that does have root, say calling from firefox's
known vulnerabilities???
even Linux ! say it aint so.
Eventually your malware will overwrite your snapshots or the binary that restores them.
That said, the OS I use has daily snapshots (or as often as you like) to a central server (thus enabling coalescing of data blocks i.e. repeated blocks of data are stored only once). The choice of which snapshot to use is per process, so, for instance, you can compile yesterday's code in one window and last weeks in another and see what changed. Or boot any terminal into last month's state of any other etc. etc.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
unless someone was smart enough to have burned that iso of the snapshot on a dvd bhefore any malware got to it, so as to have a proper image each time....and I know someone who was a god in linux that tought me what to place on the cd-rom to avoid recompiles, so that certain directories could not be written to, therefor not rootkitted...
"And they told me i couldn't play 7/8, I just did 2 bars of 3/4 and a 1"
Plan 9 taught me that if your terminal needs backing up, you have already lost.
Boot diskless and you don't need to image your disks and hope for the best because all of your terminals are just that, terminals. Storage belongs somewhere safe. These days cheap high speed networking should be making disks redundant in a LAN situation. The place is a damn sight quieter consumes less energy.
There's a lot of places a 500Mhz EPIA fanless will do just fine.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter