Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Chinese Security Site Under New Kind of Attack 73

SkiifGeek writes "The main site for the Chinese Internet Security Response Team (CISRT) has been serving up infrequent attacks against site visitors through the use of an injected IFRAME tag that attempts to download and install numerous pieces of malicious software. While the source of the attack has yet to be identified, suspicion is that it might be an ARP attack being hosted by the CISRT's hosting provider. Rather than a straight-up infection attempt against all site visitors (as was the case with the Bank of India hack), it is an interesting evolution to see intermittent attack attempts against site visitors."
This discussion has been archived. No new comments can be posted.

Chinese Security Site Under New Kind of Attack

Comments Filter:
  • FTFA... (Score:1, Insightful)

    by bangenge ( 514660 )

    We are very sorry that when sometimes visiting our some pages, malicious codes are inserted. We think it doesn't mean that our website has been compromised. It's maybe due to ARP attack. We have informed our webserver provider to help us check whether it's due to ARP attack or not.

    Ummmm... I think if malicious code is inserted into your site, it's been compromised.

    • Re:FTFA... (Score:5, Informative)

      by TheThiefMaster ( 992038 ) on Wednesday October 03, 2007 @04:44AM (#20834697)

      Ummmm... I think if malicious code is inserted into your site, it's been compromised.
      Except it's not being inserted into the website itself, the page is being modified en-route to the client.
      Read up on ARP spoofing . The basic theory is that another machine at the same webhost is pretending to be the gateway to the internet, and so all traffic gets to flow through it and it can modify it as it wishes. [wikipedia.org]
    • If the ARP data is being falsified, visitors to the site could be directed to an alternate clone server, hosting pages with content the same as the original server but also including malicious code. If this is the case then the actual webserver has not been compromised, but users are still being exposed to the malicious code through the cloned server.

      For example:

      Say the webserver of the victim site has a public IP of (1.1.1.1), and a MAC address of (11:11:11:11:11:11). Its home page is (index.html).

      The vict
      • Re:FTFA... (Score:5, Interesting)

        by MichaelSmith ( 789609 ) on Wednesday October 03, 2007 @05:09AM (#20834821) Homepage Journal
        A port block on http would work just as well but serving only https would defeat all variants on this attack, assuming that the certificate is set up correctly.

        The CISRT should know better than to use http without SSL.
        • by Bri3D ( 584578 )
          Have you ever tried using https exclusively on a production web server?
          Some people don't have infinite amounts of money to spend on the CPU to encrypt every byte of their homepage every time someone hits it...
          What's really needed is a signed HTTP solution that doesn't require full-stream encryption; if the user is submitting no data and the data being served is not secret, illegal, confidential, etc. there is no reason for full-stream encryption but a signature would prevent this sort of attack.
      • by jthorpe ( 545911 )
        I'd say it's quite unlikely that this is an ARP spoof. In order for this to work, there would need to be other servers within the same layer 2 broadcast domain, meaning that the attacking server would have to be within the same VLAN. TFA provides nothing to support an ARP spoof as a probable cause.
  • by darthflo ( 1095225 ) on Wednesday October 03, 2007 @04:30AM (#20834641)
    Does anyone understand why such an attack would be launched targeting a security site with a userbase that probably won't be too vulnerable to an IE-specific well-known and detected exploit?
    If this really is an ARP-spoofing based attack all other sites in their providers location ought to be vulnerable too and would make better targets, don't you think?

    By the way: what's the point in occasinally inserting the attack code (it will get detected sooner or later, no matter how often it's inserted, 100% of pageviews over 2 days would probably be better than 10% over a week)?
    • Re: (Score:3, Insightful)

      by WindBourne ( 631190 )
      Unless of course, the security site is doing it iself. I would not be surprised if they are trying to inject into clients. More importantly, I would guess that it would not attack systems that come from other known security sites.
    • By the way: what's the point in occasinally inserting the attack code (it will get detected sooner or later, no matter how often it's inserted, 100% of pageviews over 2 days would probably be better than 10% over a week)?
      It's supposed to be an arp attack. Maybe they can't insert it into every connetion.
      • They probably can't insert it into every connection, but the gateway will extremely probably have an arp cache which would mean it's inserted into 100% of all requests as long as the gateway's cache is compromised and 0% of all requests for the periods inbetween. TFA doesn't exactly mention how often and when this happens, but I interpreted it as "into some requests all the time". I don't know the TTL an entry in the gateway's ARP cache will receive but imagine it to be in the order of a few hours rather th
    • by querist ( 97166 )
      Not a strange choice at all...

      If you read the site, people go to this site to post questions when they are having problems. It is not only a "security" site for those of us who are security practitioners, but it is also a forum where non-security people can ask questions or ask for help.

      Actually, it's a great target because one would think that a security site would be safe. And, due to the nature of this attack, there is not much that the site's operators could have done to prevent it (other than the obvio
    • i don't think so its an ARP attack. how can a secure site like this can allow a silly attack directed to it's site.. maybe it's a part of their strategy..who knows!!!
      • Three possible reasons:

        A) They're renting webspace, not a dedicated box.
        B) The ISP's *gateway* gets the spoofed ARP replies, their content is being reverse proxied thru the attackers server (why not, it may after all be the weakest link)
        C) They didn't secure their box.
  • by Big Nothing ( 229456 ) <tord.stromdal@gmail.com> on Wednesday October 03, 2007 @04:32AM (#20834651)
    "it is an interesting evolution"

    Yes, if by "interesting" you mean "annoying". And by "evolution" you mean "I wish all malware creators would curl up in a corner and die."

    • by Anonymous Coward on Wednesday October 03, 2007 @04:51AM (#20834731)
      Malware creators have feelings too.

      For example, they laugh when you are infected with malware.
    • "it is an annoying I wish all malware creators would curl up in a corner and die."?
    • It's quite possible on this Chinese ISP the majority of users are spammers, scammers, malware writer and blackhats. And they probably all wish the Chinese Internet Security Response Team would stop posting spoilers about their hard work.
  • Common knowledge (Score:4, Informative)

    by packetmon ( 977047 ) on Wednesday October 03, 2007 @06:21AM (#20835097) Homepage
    It shouldn't come as a shocker that attackers are trying to re-route traffic from legitimate sites to illegitimate ones. What's odd is, ARP spoofing can be curtailed by static ARP addressing and the network administrators of that netblock should be able to stop it outright or at minimum isolate the traffic. This is nothing more than a man in the middle attack and I've always wondered when someone was going to try it on a large scale... Guess I got my answer. Imagine this for a second though and the ramifications of it... Google, well known for huge amounts of servers dispersed throughout the world...

    Attacker on GoogleB farm's network --> man in the middle (for an hour a month) --> undetected --> redirect to malware cocktail site Visitors --> replicated Google --> view infected page

    Technically its possible provided the MITM attacker is on the same network, the network engineers didn't mitigate against it, someone is really determined.

    We've all (hopefully all of us) have heard of the "Storm" botnet. Its not an exaggeration to think of someone getting their act together and creating something on this level of an attack vector. The question is _when_ will it happen. Who knows for all you know Slashdot was loaded with a cocktail of malware when you visited this site. Hope people get a clue and keep their machines clean. There's not silver bullet solution when an attacker is 1) skillful enough 2) undetectable nowadays 3) has major motivation (finance).
    • What about running a nix box using firefox, would you still have the problem of aquiring
      these malwares on your pc??? If this is not the case, then what about the same thing but inside a vmware install??? would it not curtail the threat while browsing the internet?
      • Depends... I did a proof of concept for Linux:

        http://www.infiltrated.net/scripts/dsphunxion.sh [infiltrated.net]

        http://www.infiltrated.net/scripts/dsphunxion.output [infiltrated.net]

        The concept was a pseudo heuristic worm to be download via vuln on a Linux box. Caveats... Surfer would have to be root... Could be re-written to exploit something else to gain root though. Someone with modsecurity skills could do a re-write based on header information and redirect Linux boxes to their appropriate pages to download and exploit it though. A

        • My hats off to you, if you were the one to write this code, got to say,
          I know when I am in the presence of greatness....again if you were the one to write the code.

          My compliments on the actual proof of concept though, beautiful!

          Care to elaborate on what your stem would be for accomplishing further steps, as the person
          accessing the page may not really have root, would there be a way to own the machine regardless
          of root access, maybe using a redirect to a process that does have root, say calling from firefox'
      • by DrSkwid ( 118965 )
        You know you've lost when you can't trust your OS to run user apps and you think the VM will save you.
        • My point was still just using the snapshot ability to overwrite the previous os install after maybe 2 days, seeing as a snapshot takes about 15 minutes to restore, you could do a snapshot after the full install+upgrades etc.... then use that as your base for a malware free os, and after 2 days usage, wether you have malware or not, refresh os so to speak.

          I know this philosophy of using vmware may not be the original intent for its deployment, but
          short of creating your own os to be 100% certain that no malwa
          • by DrSkwid ( 118965 )
            even Linux ! say it aint so.

            Eventually your malware will overwrite your snapshots or the binary that restores them.

            That said, the OS [bell-labs.com] I use has daily snapshots (or as often as you like) to a central server (thus enabling coalescing of data blocks i.e. repeated blocks of data are stored only once). The choice of which snapshot to use is per process, so, for instance, you can compile yesterday's code in one window and last weeks in another and see what changed. Or boot any terminal into last month's state of a
            • unless someone was smart enough to have burned that iso of the snapshot on a dvd bhefore any malware got to it, so as to have a proper image each time....and I know someone who was a god in linux that tought me what to place on the cd-rom to avoid recompiles, so that certain directories could not be written to, therefor not rootkitted...

              "And they told me i couldn't play 7/8, I just did 2 bars of 3/4 and a 1"
              • by DrSkwid ( 118965 )
                Plan 9 taught me that if your terminal needs backing up, you have already lost.
                Boot diskless and you don't need to image your disks and hope for the best because all of your terminals are just that, terminals. Storage belongs somewhere safe. These days cheap high speed networking should be making disks redundant in a LAN situation. The place is a damn sight quieter consumes less energy.

                There's a lot of places a 500Mhz EPIA fanless will do just fine.
  • New? (Score:4, Informative)

    by DNS-and-BIND ( 461968 ) on Wednesday October 03, 2007 @06:29AM (#20835139) Homepage
    No, this isn't new. I had it happen on my website while it was hosted in China. At the bottom of every page, there was an IFRAME pointing to an external site, automatically inserted just above the tag. I didn't find out about it because I used Opera, and of course I didn't get infected. I found out because my users were complaining that my front page set off their virus alarms. Silly me, I told them that my whole site was static HTML straight from Dreamweaver, and that there was no dynamic content that could be exploited. I assumed that my webserver was hacked (the Chinese ISP used IIS, of course) and told everyone there was nothing I could do. The problem "resolved itself" and then returned a few times.

    I've since moved to a Hong Kong server running BSD/Apache. Much cheaper, I get an actual control panel, and I'm not subject to the ridiculous requirements of the ICP permit. You know what you have to go through to get one of those for a business? Insane! And don't even mention that you're a foreigner, they go apeshit.

    • i think the chinese can be more dangerous than anything on earth... ;)
    • You hosted a website in China parodying the Communist Chinese government and you're complaining that they bothering you with annoying paperwork? Unless I'm misreading the whole point of your site, either the government has finally developed some sense of humor or you're lucky to be alive.
      • Who said the site in my profile was the site I was talking about? The posters website is hosted in the USA, because that's where the customers are. The site I was talking about is for people in China, hence the hosting in China. Otherwise, there's no reason to host here, service is awful, expensive, and very very slow if you're outside the Great Firewall.
    • As you've found out, it's a good idea to regularly check your pages, using many browsers, (or - at least - the main ones like IE, Firefox...) Your host can screw things up for you - even simple things like breaking links, let alone stuff lie this.

      There are 3rd parties that can do this for you also.
  • ARP attacks against websites like this are relatively uncommon but fairly easy to do. ISC (isc.sans.org) did a write-up not too long ago where someone's customer was attacked like this. Due to a lack of switch security and clients not using static ARP tables etc. this attack will exceed pretty frequently when hosts are on the same subnet/VLAN. I'm not sure the CSIRT website gets too much traffic to begin with, definitely more after being slashdotted. I don't think saying that their user-base doesn't use
  • by Anonymous Coward
    I know another site who got EXACTLY this problem (iframes in the code, linking to malware), this was because of a worm exploiting vulnerabilities in php scripts, i wouldn't be surprised if they got hax0red and tried to say "hey it's ARP poisoning, another server got owned, not us!" what a shaaaame, they got pwn3d that's it, you can be sure.
  • i think maybe this is a part of CISRT's trick to spread viruses. as a result more site visitors will look after them for help. and maybe the chinise government didnt pay salary for the employees at CISRT, and they use this attack to take revenge.
  • Nice tag guys: thatswhatyagetforalltheleadpaint. *Someone* is a little bitter over recent Chinese cyber attacks, not naming countries or anything.
  • Chinaons.com (Score:3, Interesting)

    by mattr ( 78516 ) <<mattr> <at> <telebody.com>> on Wednesday October 03, 2007 @11:15PM (#20847629) Homepage Journal
    I just noticed a day ago that a lot of html files I had stored on a usb hdd (my ipod) had had a line introduced, an iframe going to chinaons.com with some garble after it that might be Chinese. It was really disconcerting. Not just because of the line which was easily removed, but because Virus Buster would DELETE the files.

    I would really like to be able to make certain folders on my ipod read-only password protected when I plug it in, so I know this isn't happening.

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...