New 'Warp' Trojan Poses As A Network Router
Attack uses ARP-spoofing to intercept traffic, propagate throughout the network
Researchers have found a new Trojan out of China that mimics a router in order to intercept traffic and spread throughout the network.
The so-called Warp Trojan isn't related to more common malware like Zeus or SpyEye, and it operates as a stage-two infection rather than a bot-run one. It appears to be spreading adware mainly in China, and the attackers behind it also appear to be out of China.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
- Top Big Data Security Tips and Ultimate Protection for Enterprise Data
- Smarter Process: Five Ways to Make Your Day-to-Day Operations Better, Faster and More Measurable
John Morris, principal security researcher at Kindsight Security Labs, discovered the attack in the lab after visiting a legitimate, trusted website and noticing it was resolving improperly. Morris dug into the HTML code sent to his browser and found a suspicious iFrame, but it wasn't the Web server that was the source of the malicious HTML injection: Morris and his team found another machine that was set up as a man-in-the middle in one of the lab's subnets.
"This [malware] was behaving very differently than anything else we had seen before," Morris says. "It was calling out and pretending to be a router" with the ARP (Address Resolution Protocol) protocol, he says. It basically informs the network's existing router that it's a router, too, he says.
Unlike most Trojans that generate their own rogue traffic, Warp corrupts legitimate traffic. "If you were to link to a Web page on the Net, like Google, it would corrupt the traffic coming back to you. So you get Google, plus an invisible iFrame that takes you to another malicious site," Morris says.
The victim doesn't see the malicious site, which basically uses a variety of exploits to infect his or her machine. "You don't know you're redirected," he says.
ARP spoofing itself isn't new, but it's rare for a Trojan to employ this technique to propagate itself, according to the researcher. Warp employs a seven-year-old Chinese hacking tool called ZXarps and dupes other computers on the network into believing it's the router.
[ Remote VPN connections are not necessarily as secure as you’d think -- how enterprises can get infected by far-flung users via their SSL VPNs. See VPN An Oft-Forgotten Attack Vector. ]
HD Moore, chief security officer at Rapid7 and creator of Metasploit, says this type of attack has its advantages -- and disadvantages -- for the attacker. "The advantage to using a layer-2 attack like ARP spoofing is that it can capture network credentials and target client-side applications like Web browsers as the traffic leaves the network. This attack has major downsides, however: When spoofing the router, there is a high likelihood that valid traffic will be dropped, and when spoofing internal machines, any network services on the target machine may be affected, not to mention any duplicate IP warnings," Moore says.
In most penetration testing engagements, ARP spoofing isn't allowed because it's so risky. "In most penetration tests, ARP spoofing is off the table due to the chance of breaking a production server or breaking outbound traffic for the local subnet," Moore notes.
The Warp attack actually begins with a Chinese adware Trojan called Paglst.b that gets installed on a vulnerable machine, typically via a Java or Adobe Reader exploit. Once this initial infection is set, it installs Warp onto the machine.
"The key concern from a corporate standpoint is that this is tampering with the flow of network traffic. Even if machines are not being infected ... it is actively alerting the flow of data on their network, and that can lead to significant operational issues," Kindsight's Morris says.
And if a Warp-infected computer is on the same network as a Web server, traffic from the Web server will contain the injected iFrame. That means anyone who visits that website server could get infected, even if they are outside the subnet.
The key to eradicating the infection is pinpointing the infected machine or machines. "That's the challenge. If you are one of the computers seeing this malicious URL, you are not sure where it's coming from," Morris says. You have to track the MAC address of your router, and find the phony one's MAC address, too.
Kindsight has provided more technical detail, as well as code snippets, on the Warp Trojan here.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.