ARP Spoofing Malware
ARP Spoofing is a technique that every security consultant will scare their clients with as a means to prove the point that nothing within the network is safe from eavesdropping. So what is it? ARP spoofing, also known as ARP poisoning, is a technique used to attack an Ethernet network. It allows an attacker to sniff data frames on a local area network (LAN), modify the traffic, or stop the traffic altogether. Something that should be mentioned here from the outset; this is nothing new, ARP Spoofing is well known and understood in the security community, such an understanding has resulted in technologies being developed to combat the attack. What is new, however, is that malware authors have seen the potential of this attack and are starting to use it.
What is it?
Firstly what is ARP, it is the Address Resolution Protocol (ARP), it is a standard way to locate a device's hardware address when only the network address is known. It is not an IP only or Ethernet only protocol, it can be used in many other environments, however due to the prevalence of IP and Ethernet environments it is primarily used to translate IP Addresses to Ethernet MAC Addresses. You can find a more detailed description of the entire protocol here.
The technique involves sending fake or 'spoofed' ARP messages to the Ethernet LAN. The aim is to have devices on the network associate the attacker's MAC address with the IP address of another host on the network, which diverts traffic intended for the target to the attacker's machine. In many cases the attacker will target a specific service or piece of network infrastructure such as a default gateway or proxy server. If successful any traffic meant for the targeted IP address ends up at the attacker's host instead. The attacker would then choose to forward the traffic to the actual host, having recorded the data intercepted or potentially modified it. ARP spoofing could also be used for an effective denial of service attack by associating a nonexistent MAC address with the targeted IP address.
Most people see the risk from ARP spoofing as one of the insider trying to sniff for login details, or intercept web traffic over SSL. But something that is starting to rear its ugly little head is malware that uses ARP Spoofing as a means to inject code into web traffic and compromise user login information.
The Malware
Earlier in the year Neil Carpenter blogged about an incident he was involved with where a peice of malware was using ARP Spoofing on a customer's network to intercept and modify web traffic by inserting a malicious IFRAME into every web page visited. In this instance the malware would direct the victim to a page that exploited MS07-017, better known as the Animated Cusor Vulnerability. Now this wasn't the first time ARP Spoofing has been used by malware, for example W32/Snow.a used it to attempt a denial of service attack during early 2006. More recently, in October 2007 the Chinese Internet Security Response Team (C.I.S.R.T) reported that they suspected that a similar attack had been used to compromise user session to their web sites.
About the same time as the original blog posting by Neil Carpenter, the AV companies added something called W32.Arpiframe to signature databases. This little bit of malware does just what was described in the blog, and it does pretty much the same as the piece of malware that could be responsible for the attack against the C.I.S.R.T. The actual method of attack is the same, but what it does in terms of the URLs injected within the IFRAME is different and the exploits used to compromise user systems, which implies that there a different variants floating about that are being updated and maintained to avoid detection by Anti-Virus software.
The possibilities of a successful ARP spoofing attack are significant, and its use for injection is has great potential for further attacks. For example, you can not only inject any HTML you like into any web page the user downloads, but you could infect any executable the user copies or downloads over the network. Barnaby Jack showed a neat trick with compromised D-Link routers using firmware at EuSecWest in 2006 that allowed the injection of modified executables, this attack would provide an ideal mechanism to allow this style of injection into anything downloaded with potentially serious results.
Then when used for sniffing nothing is safe on the network, any clear text login request or session token sent over the network is ripe for stealing. The classic man in the middle attack may consultants warn about for SSL sessions is a possibility, as we all know that only a small number of users actually check the SSL certificate warnings before pressing 'Yes' to allow the connection, they have all be conditioned to check for the little lock, so if you've got the connection between them and the compromised host all SSL'd up they are probably not going to notice.
However, all this said there are issues, ARP spoofing does have its problems. As discussed it can act as an effective denial of service, and if something messes up the end user will often notice it. On a large network successfully attempting an ARP spoofing attack could result in a lot of traffic heading through one host, it could well result in massive degradation in performance of that host. This style of attack would probably have more success within a smaller networking environment. In any environment with network switching equipment that has features like 'Port Security' in place ARP spoofing attacks are unlikely to work as directed as these technologies have been developed to help address this well known problem.
Defense
There are various ways to defend against ARP Spoofing attacks. The first obvious thing, which is specific to malware that uses this style of attack, is to ensure that anything you download is scanned using an up to date anti-virus scanner, and that the file you download comes from a legitimate source.
There is no magic bullet for ARP Spoofing, the best defense is to have static ARP entries for every machine on a network. Unfortunately that is not practical for most corporate environments. So as a result there are various technologies that have been developed to help fight this. The first of these technologies is something called 'Port Security'. Port Security is something that is part of the firmware that runs on network switching infrastructure, what it does is it prevents changes to the MAC address tables on the switch, depending on the implementation the firmware could also include the ability to lock a switch port if it sees too many MAC Addresses on the port and if the MAC address changes frequently. This in itself is not a cure all but will hamper an ARP spoofing attack.
MAC address cloning can be detected by using something called RARP (Reverse ARP), in which a system will perform a look up a known MAC address and request the associated IP address. If the requesting machine gets multiple responses for a single MAC address then you could have an instance of MAC cloning, which could allow you to detect when a piece of infrastructure like a router or proxy is targeted on a network for ARP Spoofing.
There are detection technologies such as ARPwatch that monitor the a network for ARP address requests and will generate alerts when it detects suspicious ARP traffic, and is probably the best method for combating ARP Spoofing attacks. Many IDS systems have this same capability however, just how many people actually implement IDS on internal networks?
Conclusion
ARP Spoofing is an attack that is often underestimated, yet if successful has far reaching consequences. ARP Spoofing Malware is a growing problem and malware Authors are beginning to implement this technique to steal information and inject malicious traffic. So don't expect to see the threat go away.
There are technologies out there which can defend against ARP Spoofing attacks, however they are often limited to higher end network Infrastructure so the protection will be out of reach of most home users and probably many small businesses, so for that end of the market the best defense is an up to date virus scanner and personal firewall, and setting up static ARP entries for your router/firewall and other key resources. For enterprises, implementing port security across network switching infrastructure is a key defence, along with implementing ARP monitoring and detection technologies.