non-blind tcp spoofing made profitable :)

[Fyodor <fygrave () gmail com>]

check this -  
http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=http%3A%2F%2Fwww.zdnet.com.tw%2Fnews%2Fweb%2F0%2C2000085679%2C20136641%2C00.htm&lp=zt_en&btnTrUrl=Translate

Apparently some malware creativity from China  is kicking some bad-ass
sh*t on the network here in Taiwan. Started a few days ago, is
happening as I write this message... anyways here's what's going on:
Apparently something got own3d on the way from Taiwan to Singapore,
and I believe TCP connections are being sniffed for valid syn/acks (as
we don't see floods of bad tcp packets here) and then redirect packets
with valid syn/ack numbers are being automatically sent with redirect
to some web sites in mainland china containing ad clicks, or malware
or both.

The thing is still happening as we speak, the "big" sites like
tw.msn.com are affected. However not every user is affected but rather
some large groups of users. I think it depends on how you're being
routed. (i.e. i can't reproduce stuff from my segments).

I happened to look at the packet captures, it looks like an automated
non-blind tcp spoofing attack.
The interesting things about the spoofed packets - ip.id is always
0x0100, the TTL is always around 0x7x (0x70, 0x72 in other segments,
but is static). the packets have fixed size and are always fin,ack
packets that trigger a few rsts afterwards..

there are some screenshots of the captured traffic available here -
http://blog.richliu.com/2009/03/05/743/, see if you can spot more
'diffs' :) I also posted the 'affected' and 'non-affected' traces in
comments.

-- 
http://o0o.nu
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave