Blog
Blogs
The Websense Security Labs Blog delivers the most current information about breaking security research topics and today's advanced Internet threats. Websense Security Labs investigates and publishes information about outbreaks, new threats and other relevant Web security topics to protect organizations from converging risks to their data from Web, email and user based attacks.
Go to the new Security Labs Blog
ARP spoofing HTTP infection malware
12.21.2007 - 2:02 PM
This year, we've seen many ARP spoofing viruses, also known as ARP cache-poisoning viruses. This type of malware comes in many variants and is widely spread in China. Recently, we uncovered an ARP spoofing virus that exhibits several new features.
The new ARP spoofing virus inserts a malicious URL into the session of an HTTP response, thus including significant malicious content, and then exploits Internet Explorer. At the same time, the virus makes a poisoned host act as an HTTP proxy server. When any machine in the same subnet with the poisoned machine accesses the Internet, the traffic goes through the poisoned machine.
Let's take a detailed look at the features of the latest ARP spoofing virus.
This type of virus replaces the MAC address of the Gateway machine with the MAC address of the poisoned machine. The following screen shows the correct Gateway MAC address:
When we run the ARP spoofing virus, the Gateway MAC address is changed, as shown in the following diagram. The real Gateway MAC address is changed by the poisoned machine to the MAC address of the poisoned machine. Please review the following diagram.
Now let's view a detailed virus analytic report
The following diagram shows the mechanism used by this type of virus. Normally, when we open a Web page, the traffic goes to the Gateway machine directly (see pathway 4). But if the local network is infected by an ARP spoofing virus, the traffic goes through the poisoned machine before it goes to the Gateway, as indicated by pathway 5 and pathway 6 below:
T...
Read more »
"Automated JavaScript Deobfuscation" at PacSec 2007
12.07.2007 - 2:02 PM
Alex Rice and I just returned from Tokyo, where we presented at PacSec 2007 [http://www.pacsec.jp/].
Dragos Ruiu (PacSec organizer)
(Websense Security Labs researchers: Alex Rice, Stephan Chenette)
The topic of our presentation was: "Automated JavaScript Deobfuscation." We shared with our audience the latest tools and techniq...
Read more »
12.06.2007 - 2:02 PM
This year's gathering of the Association of Anti Virus Asia Researchers (AVAR 2007) was held in Seoul at the end of November, from the 28th to the 30th. Approximately 220 researchers from around the world attended the conference.
The hot topics at the c...
Read more »
12.05.2007 - 2:02 PM
1. Olympics -- new cyber attacks, phishing and fraud
Event-based attacks and scams are popular, and with the whole world watching, the 2008 Olympics may fuel a surge in cyberattacks. As the Olympic torch burns, Websense researchers predict the possibility of large scale denial-of-service (DoS) attacks on Beijing Olympic-related sites as political statements and fraud attempts through email and the Web surrounding the Olympics. Additionally, Websense predicts compromises of popular Olympic news or other sports sites -- attacks designed to install malicious code on end-users' machines and steal personal or confidential business information.
2. Malicious SPAM invades blogs, search engines, forums and Web sites
Websense predicts that hackers will increasingly use Web spam to post URLs to malicious sites within forums, blogs, in the commentary or "talk-back" sections of news sites and on compromised Web sites. This activity not only drives traffic to the infected Web sites but also assists in the purveyor's site sitting higher on search engine rankings, increasing the risk that users will visit the site.
3. Attackers use Web's 'weakest links' to launch attacks
The Web is an entanglement of links and content. The advent of Web 2.0 additions such as Google Adsense, mash-ups, widgets, and social networks along with the massive amounts of Web advertisements linked to Web p...
Read more »
Department of Justice Trojan Horse
12.03.2007 - 2:02 PM
Websense® Security Labs™ has discovered a new email attack variant similar to attacks previously launched on the IRS and Better Business Bureau. The spoofed email claims to be from the United States Department of Justice (USDOJ). We have been tracking these attacks and have previously reported on them o...
Read more »
Previous Posts
December 2007
| 12.21.2007 | ARP spoofing HTTP infection malware » |
| 12.07.2007 | "Automated JavaScript Deobfuscation" at PacSec 2007 » |
| 12.06.2007 | AVAR 2007 in Seoul » |
| 12.05.2007 | 2008 Security Predictions » |
| 12.03.2007 | Department of Justice Trojan Horse » |
Archives
+ November 2007+ October 2007
+ September 2007
+ August 2007
+ July 2007