Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese Security Site Under New Kind of Attack

Posted by kdawson on from the novel-twist dept.

SkiifGeek writes "The main site for the Chinese Internet Security Response Team (CISRT) has been serving up infrequent attacks against site visitors through the use of an injected IFRAME tag that attempts to download and install numerous pieces of malicious software. While the source of the attack has yet to be identified, suspicion is that it might be an ARP attack being hosted by the CISRT's hosting provider. Rather than a straight-up infection attempt against all site visitors (as was the case with the Bank of India hack), it is an interesting evolution to see intermittent attack attempts against site visitors."

11 of 73 comments (clear)

  1. Strange Choice of Target, eh? by darthflo · · Score: 4, Interesting

    Does anyone understand why such an attack would be launched targeting a security site with a userbase that probably won't be too vulnerable to an IE-specific well-known and detected exploit?
    If this really is an ARP-spoofing based attack all other sites in their providers location ought to be vulnerable too and would make better targets, don't you think?

    By the way: what's the point in occasinally inserting the attack code (it will get detected sooner or later, no matter how often it's inserted, 100% of pageviews over 2 days would probably be better than 10% over a week)?

    1. Re:Strange Choice of Target, eh? by WindBourne · · Score: 2, Insightful

      Unless of course, the security site is doing it iself. I would not be surprised if they are trying to inject into clients. More importantly, I would guess that it would not attack systems that come from other known security sites.

      --
      I prefer the "u" in honour as it seems to be missing these days.
  2. Interesting? by Big+Nothing · · Score: 5, Funny

    "it is an interesting evolution"

    Yes, if by "interesting" you mean "annoying". And by "evolution" you mean "I wish all malware creators would curl up in a corner and die."

    --
    SIG: TAKE OFF EVERY 'CAPTAIN'!!
    1. Re:Interesting? by Anonymous Coward · · Score: 5, Funny

      Malware creators have feelings too.

      For example, they laugh when you are infected with malware.

  3. Re:FTFA... by TheThiefMaster · · Score: 4, Informative

    Ummmm... I think if malicious code is inserted into your site, it's been compromised. Except it's not being inserted into the website itself, the page is being modified en-route to the client.
    Read up on ARP spoofing . The basic theory is that another machine at the same webhost is pretending to be the gateway to the internet, and so all traffic gets to flow through it and it can modify it as it wishes.
  4. Re:CSIRT is dying by El+Lobo · · Score: 3, Funny

    IIS on a Windows 2003 server? That is one of the better and most secure combinations you can have today! Seriously, don't fool yourself. IIS 6 and 7 have a record of almost none critical exploits. In comparation with Apache it simply shimnes. And Windows 2003 is rock solid.

    --
    It's time to realise that Abble's products are the biggest abomination these days. Just say NO to the dumb iAbble way!!
  5. Re:FTFA... by MichaelSmith · · Score: 4, Interesting

    A port block on http would work just as well but serving only https would defeat all variants on this attack, assuming that the certificate is set up correctly.

    The CISRT should know better than to use http without SSL.

    --
    http://michaelsmith.id.au
  6. Common knowledge by packetmon · · Score: 3, Informative

    It shouldn't come as a shocker that attackers are trying to re-route traffic from legitimate sites to illegitimate ones. What's odd is, ARP spoofing can be curtailed by static ARP addressing and the network administrators of that netblock should be able to stop it outright or at minimum isolate the traffic. This is nothing more than a man in the middle attack and I've always wondered when someone was going to try it on a large scale... Guess I got my answer. Imagine this for a second though and the ramifications of it... Google, well known for huge amounts of servers dispersed throughout the world...

    Attacker on GoogleB farm's network --> man in the middle (for an hour a month) --> undetected --> redirect to malware cocktail site Visitors --> replicated Google --> view infected page

    Technically its possible provided the MITM attacker is on the same network, the network engineers didn't mitigate against it, someone is really determined.

    We've all (hopefully all of us) have heard of the "Storm" botnet. Its not an exaggeration to think of someone getting their act together and creating something on this level of an attack vector. The question is _when_ will it happen. Who knows for all you know Slashdot was loaded with a cocktail of malware when you visited this site. Hope people get a clue and keep their machines clean. There's not silver bullet solution when an attacker is 1) skillful enough 2) undetectable nowadays 3) has major motivation (finance).

    --
    Infiltrated dot Net
  7. New? by DNS-and-BIND · · Score: 4, Informative
    No, this isn't new. I had it happen on my website while it was hosted in China. At the bottom of every page, there was an IFRAME pointing to an external site, automatically inserted just above the tag. I didn't find out about it because I used Opera, and of course I didn't get infected. I found out because my users were complaining that my front page set off their virus alarms. Silly me, I told them that my whole site was static HTML straight from Dreamweaver, and that there was no dynamic content that could be exploited. I assumed that my webserver was hacked (the Chinese ISP used IIS, of course) and told everyone there was nothing I could do. The problem "resolved itself" and then returned a few times.

    I've since moved to a Hong Kong server running BSD/Apache. Much cheaper, I get an actual control panel, and I'm not subject to the ridiculous requirements of the ICP permit. You know what you have to go through to get one of those for a business? Insane! And don't even mention that you're a foreigner, they go apeshit.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!
  8. Re:CSIRT is dying by will_die · · Score: 3, Informative

    IIS 7 is actually rather nice. It is a complete rewrite from IIS 6, didn't they do that from IIS 5?
    They use Apache methods for uploading files, major fix over IIS6.
    The security is modular and supports security similar to what Apache does.
    And the configuration files are now text files which edit with your text editor. Wasn't that the main selling point with the IIS pros saying IIS was better because you did not have to use some text file where you had to go in manually edit?

  9. Chinaons.com by mattr · · Score: 2, Interesting

    I just noticed a day ago that a lot of html files I had stored on a usb hdd (my ipod) had had a line introduced, an iframe going to chinaons.com with some garble after it that might be Chinese. It was really disconcerting. Not just because of the line which was easily removed, but because Virus Buster would DELETE the files.

    I would really like to be able to make certain folders on my ipod read-only password protected when I plug it in, so I know this isn't happening.