funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Has Your Network been “Warped”?

From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 14 Jul 2012 12:13:40 -0400
http://www.kindsight.net/en/blog/2012/07/11/has-network-been-warped
[Thanls to TD for providing the link]

The Warp Trojan demonstrates a bold new method by which malware
writers are forcing computers to visit their exploit sites on the
Internet and recruit those systems into their army of compromised
machines. Warp does this by becoming a network middleman, arranging
for all local network traffic to flow through it, and then injecting a
malicious URL into any passing web traffic.

This Trojan is particularly stealthy in that the injected HTML code is
not obvious to the recipient of the compromised web page and should it
be discovered, one would more likely conclude that the web-server
itself was compromised, not that the flow of network traffic between
the computers has been “Warped”. Finding the true source of that URL
injection, the middle-man, on a larger network requires a network
sniffer and the ability to identify the offending machine by its MAC
address.

THE DISCOVERY

I was recently visiting a trusted website and noticed that a key
element of it was not resolving properly. Upon investigation of the
underlying HTML code sent to my browser, I noted the inclusion of an
IFRAME tag that just did not belong.
[Image Removed]

Thinking that the webserver had been hacked, we conducted a quick
forensic analysis of it and restored the entire system to a trusted
state with the original installation media. When that failed to
resolve the apparent issue with the website, we performed a quick
review of the network traffic of both computers, the server and my
desktop, and were able to identify the culprit. The source of the HTML
injection was not the desktop or server but rather a third computer
that managed to make itself a network middle-man on one of our
subnets. Removing that infected system from the network quickly
resolved the issue.
...
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: