RE: [inbox] malware added in transit

[James.Cupps () sappi com]

There is however, a type of attack sometimes referred to as a ghost attack
that is similar to a man in the middle attack that can do something like
this. 

 

The way it works is Eve inserts herself between Bob and Alice using some
type of man in the middle attack then using certain scripts (the scripts are
pretty simple I have written one in perl for testing) can selectively alter
content of the data stream between them. The scary part of this type of
attack is that it is even possible to use it to transparently (almost
transparent a really quick user might catch the URL change but most of them
ignore url's all the time anyway) step into an ssl session before it starts.

 

I think it would be quite difficult to write this type of attack into
malware but probably possible. The script just alters the http pieces of the
html traffic to include the ssl (or normal http) site in the middle. You
could alter that to include basic html exploits pretty easily but people
tend to notice obvious changes to sites so it would have to be very precise.
The other point to keep in mind is that you have to have some type of MIM
(ARP spoof, DNC poison, route redirect etc...) in place and if you can do
that you probably have a lot of influence over the target anyway. Building
this part into malware might not even be possible. I'll have to think about
it.

 

But the way this work similar to what you described in the proxy comment
below.

 

I doubt any are currently in existence but nothing would surprise me.

 

James Cupps
Information Security Officer
Sappi Fine Paper North America
207-854-7065

-----Original Message-----
From: Curt Purdy [mailto:purdy () tecman com] 
Sent: Thursday, March 18, 2004 8:50 AM
To: 'Paul'; full-disclosure () lists netsys com
Subject: RE: [inbox] [Full-disclosure] malware added in transit

 

Paul  wrote:

 

> Hi all, perhaps I'm way off-base but I've been under the impression that
malware can be added   

>  to clean transmissions as they pass through infected nodes.  Is this
possible? 

 

 Unless you're talking about inserting a proxy in-line and manually grabbing
the packets and manipulating them at a huge amount of work, you ARE way
off-base.  There is no malware I know of that would even know what the
packets were, muchless re-assemble them into the original document, insert
itself, and pass it on.  Maybe by 2104...

 

Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA 
Information Security Engineer 
DP Solutions 

---------------------------------------- 

If you spend more on coffee than on IT security, you will be hacked. 
What's more, you deserve to be hacked. 
-- White House cybersecurity adviser Richard Clarke 

This message may contain information which is private, privileged or
confidential and is intended solely for the use of the individual or entity
named in the message. If you are not the intended recipient of this message,
please notify the sender thereof and destroy / delete the message. Neither
the sender nor Sappi Limited (including its subsidiaries and associated
companies) shall incur any liability resulting directly or indirectly from
accessing any of the attached files which may contain a virus or the like.