ARP Spoofing Used to Insert Malicious Adverts [source: alienvault]

Recently we came across a new variant of the malware ServStart. ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks. The attackers are hosting the ServStart malware on a file server that is open for anyone to view.

A report from 2014 for an attack involving CVE-2014-6332 describes how an attacker might use zxarps well:

“This malware performs ARP spoofing on the network to cause other systems to route their traffic through the infected system, and inject a malicious IFRAME into webpages.”

The ARP spoofing attack can work in both directions. If a web-host is compromised, zxarps can be used to insert malicious code into other sites on the same web-host. A report from way back in 2009 describes attacks that operated this way:

“A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites (if it’s a hoster indeed).”

For more, click here.