Slashdot Mirror

← Back to Stories (view on slashdot.org)

Chinese Security Site Under New Kind of Attack

Posted by kdawson on from the novel-twist dept.

SkiifGeek writes "The main site for the Chinese Internet Security Response Team (CISRT) has been serving up infrequent attacks against site visitors through the use of an injected IFRAME tag that attempts to download and install numerous pieces of malicious software. While the source of the attack has yet to be identified, suspicion is that it might be an ARP attack being hosted by the CISRT's hosting provider. Rather than a straight-up infection attempt against all site visitors (as was the case with the Bank of India hack), it is an interesting evolution to see intermittent attack attempts against site visitors."

6 of 73 comments (clear)

  1. Strange Choice of Target, eh? by darthflo · · Score: 4, Interesting

    Does anyone understand why such an attack would be launched targeting a security site with a userbase that probably won't be too vulnerable to an IE-specific well-known and detected exploit?
    If this really is an ARP-spoofing based attack all other sites in their providers location ought to be vulnerable too and would make better targets, don't you think?

    By the way: what's the point in occasinally inserting the attack code (it will get detected sooner or later, no matter how often it's inserted, 100% of pageviews over 2 days would probably be better than 10% over a week)?

  2. Interesting? by Big+Nothing · · Score: 5, Funny

    "it is an interesting evolution"

    Yes, if by "interesting" you mean "annoying". And by "evolution" you mean "I wish all malware creators would curl up in a corner and die."

    --
    SIG: TAKE OFF EVERY 'CAPTAIN'!!
    1. Re:Interesting? by Anonymous Coward · · Score: 5, Funny

      Malware creators have feelings too.

      For example, they laugh when you are infected with malware.

  3. Re:FTFA... by TheThiefMaster · · Score: 4, Informative

    Ummmm... I think if malicious code is inserted into your site, it's been compromised. Except it's not being inserted into the website itself, the page is being modified en-route to the client.
    Read up on ARP spoofing . The basic theory is that another machine at the same webhost is pretending to be the gateway to the internet, and so all traffic gets to flow through it and it can modify it as it wishes.
  4. Re:FTFA... by MichaelSmith · · Score: 4, Interesting

    A port block on http would work just as well but serving only https would defeat all variants on this attack, assuming that the certificate is set up correctly.

    The CISRT should know better than to use http without SSL.

    --
    http://michaelsmith.id.au
  5. New? by DNS-and-BIND · · Score: 4, Informative
    No, this isn't new. I had it happen on my website while it was hosted in China. At the bottom of every page, there was an IFRAME pointing to an external site, automatically inserted just above the tag. I didn't find out about it because I used Opera, and of course I didn't get infected. I found out because my users were complaining that my front page set off their virus alarms. Silly me, I told them that my whole site was static HTML straight from Dreamweaver, and that there was no dynamic content that could be exploited. I assumed that my webserver was hacked (the Chinese ISP used IIS, of course) and told everyone there was nothing I could do. The problem "resolved itself" and then returned a few times.

    I've since moved to a Hong Kong server running BSD/Apache. Much cheaper, I get an actual control panel, and I'm not subject to the ridiculous requirements of the ICP permit. You know what you have to go through to get one of those for a business? Insane! And don't even mention that you're a foreigner, they go apeshit.

    --
    Shutting down free speech with violence isn't fighting fascism. It IS fascism!