Chinese Security Site Under New Kind of Attack

SkiifGeek writes "The main site for the Chinese Internet Security Response Team (CISRT) has been serving up infrequent attacks against site visitors through the use of an injected IFRAME tag that attempts to download and install numerous pieces of malicious software. While the source of the attack has yet to be identified, suspicion is that it might be an ARP attack being hosted by the CISRT's hosting provider. Rather than a straight-up infection attempt against all site visitors (as was the case with the Bank of India hack), it is an interesting evolution to see intermittent attack attempts against site visitors."

Re:

[El Lobo]

IIS on a Windows 2003 server? That is one of the better and most secure combinations you can have today! Seriously, don't fool yourself. IIS 6 and 7 have a record of almost none critical exploits. In comparation with Apache it simply shimnes. And Windows 2003 is rock solid.

Re:

[Yetihehe]

Yeah. I still remember my first time installing 2003. After installation I have downloaded all patches with autoupdate. Next day I have run IE first time and there was already some adware on it. So it is NOT secure.

Re:

[Yetihehe]

if you got some adware I'm sure you are the one to be blamed somehow

But HOW? As I said, first running of IE on fresh install after automatic updates and leaving computer overnight. On previous installations there were no adware at first, only after some time. So this was a test to check if it got there by itself. No one other than me had access to this computer. So windows 2003 is TOTALLY not secure (by default). I don't say it's less or more secure than apache+linux, but I have yet to have some virus on m

Re:

[PopeRatzo]

But HOW? As I said, first running of IE on fresh install after automatic updates and leaving computer overnight.

Maybe it came on the installation disk. It was Windows Server 2003, right?

Oblig. car analogy.

[TapeCutter]

I drove my new car out of the sales yard without looking and got cleaned up by a truck, obviously it's the car's fault.

IIS != IE

[mousse-man]

The Internet Immolation Server has actually become more secure, with few, if any, bad security holes found in the last two years. However, this does not hinder the coder to develop secure software, and anything that plugs into IIS needs to be as secure as IIS.

The Internet Exploder however - well, it's reputation is well ahead of any statistics, as my de-wormed Windows boxen demonstrate.

Re:

[mycall]

Unless you do a UDP spoof onto a service that isn't patched.

Re:CSIRT is dying

[will_die]

IIS 7 is actually rather nice. It is a complete rewrite from IIS 6, didn't they do that from IIS 5?
They use Apache methods for uploading files, major fix over IIS6.
The security is modular and supports security similar to what Apache does.
And the configuration files are now text files which edit with your text editor. Wasn't that the main selling point with the IIS pros saying IIS was better because you did not have to use some text file where you had to go in manually edit?

Re:

[El Lobo]

It is. IIS7 is configurated via the usual GUI. The settings are STORED in text files, though, and not in the register as it was in older versions (to comply with .NET apps). But an administrator should not feel the diference.

Re:

[flonker]

Only a very few settings were stored in the registry. Most of the settings are in the metabase. Don't ask, you really don't want to know. It is like the registry, only even more obscure to edit, and more prone to severe breakage.

Re:

[DrSkwid]

"Completely re-written" doesn't often preface "therefore more secure".

FTFA...

[bangenge]

We are very sorry that when sometimes visiting our some pages, malicious codes are inserted. We think it doesn't mean that our website has been compromised. It's maybe due to ARP attack. We have informed our webserver provider to help us check whether it's due to ARP attack or not.

Ummmm... I think if malicious code is inserted into your site, it's been compromised.

Re:FTFA...

[TheThiefMaster]

Ummmm... I think if malicious code is inserted into your site, it's been compromised.

Except it's not being inserted into the website itself, the page is being modified en-route to the client.
Read up on ARP spoofing . The basic theory is that another machine at the same webhost is pretending to be the gateway to the internet, and so all traffic gets to flow through it and it can modify it as it wishes. [wikipedia.org]

Re:

[rk075456]

yes, absolutely right..

Re:Injected

[rk075245]

I think this attack cause by programming error. The program not secure, non-malicious problems. The proggramming flaw involve synchronization. The time-of-check to time-of-use (TOCTTOU) flaw concern mediation that is perform with a "bait and switch" in middle.

Re:

[mcrbids]

Except it's not being inserted into the website itself, the page is being modified en-route to the client.
Read up on ARP spoofing...[SNIP]

Which is why SSL should be more commonly used. Seriously - an SSL cert costs less than a hundred bux/year, or less than two hundred bux per year for one that allows wildcard subdomains [rapidssl.com] and completely defeats this, and loads of other attacks. (No, I'm not affiliated with RapidSSL, but I am a happy customer)

The nice thing about wildcard SSL is that it effectively allows you

Re:

[TT076750]

ya.. i agree with u

Re:

[unsubscribe]

If the ARP data is being falsified, visitors to the site could be directed to an alternate clone server, hosting pages with content the same as the original server but also including malicious code. If this is the case then the actual webserver has not been compromised, but users are still being exposed to the malicious code through the cloned server.

For example:

Say the webserver of the victim site has a public IP of (1.1.1.1), and a MAC address of (11:11:11:11:11:11). Its home page is (index.html).

The vict

Re:FTFA...

[MichaelSmith]

A port block on http would work just as well but serving only https would defeat all variants on this attack, assuming that the certificate is set up correctly.

The CISRT should know better than to use http without SSL.

Re:

[Bri3D]

Have you ever tried using https exclusively on a production web server?
Some people don't have infinite amounts of money to spend on the CPU to encrypt every byte of their homepage every time someone hits it...
What's really needed is a signed HTTP solution that doesn't require full-stream encryption; if the user is submitting no data and the data being served is not secret, illegal, confidential, etc. there is no reason for full-stream encryption but a signature would prevent this sort of attack.

Re:

[jthorpe]

I'd say it's quite unlikely that this is an ARP spoof. In order for this to work, there would need to be other servers within the same layer 2 broadcast domain, meaning that the attacking server would have to be within the same VLAN. TFA provides nothing to support an ARP spoof as a probable cause.

Strange Choice of Target, eh?

[darthflo]

Does anyone understand why such an attack would be launched targeting a security site with a userbase that probably won't be too vulnerable to an IE-specific well-known and detected exploit?
If this really is an ARP-spoofing based attack all other sites in their providers location ought to be vulnerable too and would make better targets, don't you think?

By the way: what's the point in occasinally inserting the attack code (it will get detected sooner or later, no matter how often it's inserted, 100% of pageviews over 2 days would probably be better than 10% over a week)?

Re:

[WindBourne]

Unless of course, the security site is doing it iself. I would not be surprised if they are trying to inject into clients. More importantly, I would guess that it would not attack systems that come from other known security sites.

Re:

[Geheimagent]

By the way: what's the point in occasinally inserting the attack code (it will get detected sooner or later, no matter how often it's inserted, 100% of pageviews over 2 days would probably be better than 10% over a week)?

It's supposed to be an arp attack. Maybe they can't insert it into every connetion.

Re:

[darthflo]

They probably can't insert it into every connection, but the gateway will extremely probably have an arp cache which would mean it's inserted into 100% of all requests as long as the gateway's cache is compromised and 0% of all requests for the periods inbetween. TFA doesn't exactly mention how often and when this happens, but I interpreted it as "into some requests all the time". I don't know the TTL an entry in the gateway's ARP cache will receive but imagine it to be in the order of a few hours rather th

Re:

[querist]

Not a strange choice at all...

If you read the site, people go to this site to post questions when they are having problems. It is not only a "security" site for those of us who are security practitioners, but it is also a forum where non-security people can ask questions or ask for help.

Actually, it's a great target because one would think that a security site would be safe. And, due to the nature of this attack, there is not much that the site's operators could have done to prevent it (other than the obvio

Re:

[rk076200]

i don't think so its an ARP attack. how can a secure site like this can allow a silly attack directed to it's site.. maybe it's a part of their strategy..who knows!!!

Re:

[darthflo]

Three possible reasons:

A) They're renting webspace, not a dedicated box.
B) The ISP's *gateway* gets the spoofed ARP replies, their content is being reverse proxied thru the attackers server (why not, it may after all be the weakest link)
C) They didn't secure their box.

Interesting?

[Big Nothing]

"it is an interesting evolution"

Yes, if by "interesting" you mean "annoying". And by "evolution" you mean "I wish all malware creators would curl up in a corner and die."

Re:Interesting?

[Anonymous Coward]

Malware creators have feelings too.

For example, they laugh when you are infected with malware.

Re:

[someone1234]

And i will laugh when the chinese police shots them on the spot.

Re:

[Dr. Cody]

"it is an annoying I wish all malware creators would curl up in a corner and die."?

Re:

[Hal_Porter]

It's quite possible on this Chinese ISP the majority of users are spammers, scammers, malware writer and blackhats. And they probably all wish the Chinese Internet Security Response Team would stop posting spoilers about their hard work.

Common knowledge

[packetmon]

It shouldn't come as a shocker that attackers are trying to re-route traffic from legitimate sites to illegitimate ones. What's odd is, ARP spoofing can be curtailed by static ARP addressing and the network administrators of that netblock should be able to stop it outright or at minimum isolate the traffic. This is nothing more than a man in the middle attack and I've always wondered when someone was going to try it on a large scale... Guess I got my answer. Imagine this for a second though and the ramifications of it... Google, well known for huge amounts of servers dispersed throughout the world...

Attacker on GoogleB farm's network --> man in the middle (for an hour a month) --> undetected --> redirect to malware cocktail site Visitors --> replicated Google --> view infected page

Technically its possible provided the MITM attacker is on the same network, the network engineers didn't mitigate against it, someone is really determined.

We've all (hopefully all of us) have heard of the "Storm" botnet. Its not an exaggeration to think of someone getting their act together and creating something on this level of an attack vector. The question is _when_ will it happen. Who knows for all you know Slashdot was loaded with a cocktail of malware when you visited this site. Hope people get a clue and keep their machines clean. There's not silver bullet solution when an attacker is 1) skillful enough 2) undetectable nowadays 3) has major motivation (finance).

Re:Common knowledge...firefox?

[hesaigo999ca]

What about running a nix box using firefox, would you still have the problem of aquiring
these malwares on your pc??? If this is not the case, then what about the same thing but inside a vmware install??? would it not curtail the threat while browsing the internet?

Re:

[packetmon]

Depends... I did a proof of concept for Linux:

http://www.infiltrated.net/scripts/dsphunxion.sh [infiltrated.net]

http://www.infiltrated.net/scripts/dsphunxion.output [infiltrated.net]

The concept was a pseudo heuristic worm to be download via vuln on a Linux box. Caveats... Surfer would have to be root... Could be re-written to exploit something else to gain root though. Someone with modsecurity skills could do a re-write based on header information and redirect Linux boxes to their appropriate pages to download and exploit it though. A

Re:

[hesaigo999ca]

My hats off to you, if you were the one to write this code, got to say,
I know when I am in the presence of greatness....again if you were the one to write the code.

My compliments on the actual proof of concept though, beautiful!

Care to elaborate on what your stem would be for accomplishing further steps, as the person
accessing the page may not really have root, would there be a way to own the machine regardless
of root access, maybe using a redirect to a process that does have root, say calling from firefox'

Re:

[DrSkwid]

You know you've lost when you can't trust your OS to run user apps and you think the VM will save you.

Re:

[hesaigo999ca]

My point was still just using the snapshot ability to overwrite the previous os install after maybe 2 days, seeing as a snapshot takes about 15 minutes to restore, you could do a snapshot after the full install+upgrades etc.... then use that as your base for a malware free os, and after 2 days usage, wether you have malware or not, refresh os so to speak.

I know this philosophy of using vmware may not be the original intent for its deployment, but
short of creating your own os to be 100% certain that no malwa

Re:

[DrSkwid]

even Linux ! say it aint so.

Eventually your malware will overwrite your snapshots or the binary that restores them.

That said, the OS [bell-labs.com] I use has daily snapshots (or as often as you like) to a central server (thus enabling coalescing of data blocks i.e. repeated blocks of data are stored only once). The choice of which snapshot to use is per process, so, for instance, you can compile yesterday's code in one window and last weeks in another and see what changed. Or boot any terminal into last month's state of a

Re:

[hesaigo999ca]

unless someone was smart enough to have burned that iso of the snapshot on a dvd bhefore any malware got to it, so as to have a proper image each time....and I know someone who was a god in linux that tought me what to place on the cd-rom to avoid recompiles, so that certain directories could not be written to, therefor not rootkitted...

"And they told me i couldn't play 7/8, I just did 2 bars of 3/4 and a 1"

Re:

[DrSkwid]

Plan 9 taught me that if your terminal needs backing up, you have already lost.
Boot diskless and you don't need to image your disks and hope for the best because all of your terminals are just that, terminals. Storage belongs somewhere safe. These days cheap high speed networking should be making disks redundant in a LAN situation. The place is a damn sight quieter consumes less energy.

There's a lot of places a 500Mhz EPIA fanless will do just fine.

New?

[DNS-and-BIND]

No, this isn't new. I had it happen on my website while it was hosted in China. At the bottom of every page, there was an IFRAME pointing to an external site, automatically inserted just above the tag. I didn't find out about it because I used Opera, and of course I didn't get infected. I found out because my users were complaining that my front page set off their virus alarms. Silly me, I told them that my whole site was static HTML straight from Dreamweaver, and that there was no dynamic content that could be exploited. I assumed that my webserver was hacked (the Chinese ISP used IIS, of course) and told everyone there was nothing I could do. The problem "resolved itself" and then returned a few times.

I've since moved to a Hong Kong server running BSD/Apache. Much cheaper, I get an actual control panel, and I'm not subject to the ridiculous requirements of the ICP permit. You know what you have to go through to get one of those for a business? Insane! And don't even mention that you're a foreigner, they go apeshit.

Re:

[rk076200]

i think the chinese can be more dangerous than anything on earth... ;)

Re:

[ColdWetDog]

You hosted a website in China parodying the Communist Chinese government and you're complaining that they bothering you with annoying paperwork? Unless I'm misreading the whole point of your site, either the government has finally developed some sense of humor or you're lucky to be alive.

Re:

[DNS-and-BIND]

Who said the site in my profile was the site I was talking about? The posters website is hosted in the USA, because that's where the customers are. The site I was talking about is for people in China, hence the hosting in China. Otherwise, there's no reason to host here, service is awful, expensive, and very very slow if you're outside the Great Firewall.

Re:

[Bearhouse]

As you've found out, it's a good idea to regularly check your pages, using many browsers, (or - at least - the main ones like IE, Firefox...) Your host can screw things up for you - even simple things like breaking links, let alone stuff lie this.

There are 3rd parties that can do this for you also.

ARP Attacks

[madsheep]

ARP attacks against websites like this are relatively uncommon but fairly easy to do. ISC (isc.sans.org) did a write-up not too long ago where someone's customer was attacked like this. Due to a lack of switch security and clients not using static ARP tables etc. this attack will exceed pretty frequently when hosts are on the same subnet/VLAN. I'm not sure the CSIRT website gets too much traffic to begin with, definitely more after being slashdotted. I don't think saying that their user-base doesn't use

shame, but it's a lie

[Anonymous Coward]

I know another site who got EXACTLY this problem (iframes in the code, linking to malware), this was because of a worm exploiting vulnerabilities in php scripts, i wouldn't be surprised if they got hax0red and tried to say "hey it's ARP poisoning, another server got owned, not us!" what a shaaaame, they got pwn3d that's it, you can be sure.

is it possible

[arjun21]

i think maybe this is a part of CISRT's trick to spread viruses. as a result more site visitors will look after them for help. and maybe the chinise government didnt pay salary for the employees at CISRT, and they use this attack to take revenge.

nice tag

[BMojo]

Nice tag guys: thatswhatyagetforalltheleadpaint. *Someone* is a little bitter over recent Chinese cyber attacks, not naming countries or anything.

Chinaons.com

[mattr]

I just noticed a day ago that a lot of html files I had stored on a usb hdd (my ipod) had had a line introduced, an iframe going to chinaons.com with some garble after it that might be Chinese. It was really disconcerting. Not just because of the line which was easily removed, but because Virus Buster would DELETE the files.

I would really like to be able to make certain folders on my ipod read-only password protected when I plug it in, so I know this isn't happening.