New Warp Trojan Poses As A Network Router

Attack uses ARP-spoofing to intercept traffic, propagate throughout the network

Researchers have found a new Trojan out of China that mimics a router in order to intercept traffic and spread throughout the network.
The so-called Warp Trojan isnt related to more common malware like Zeus or SpyEye, and it operates as a stage-two infection rather than a bot-run one. It appears to be spreading adware mainly in China, and the attackers behind it also appear to be out of China.
John Morris, principal security researcher at Kindsight Security Labs, discovered the attack in the lab after visiting a legitimate, trusted website and noticing it was resolving improperly. Morris dug into the HTML code sent to his browser and found a suspicious iFrame, but it wasnt the Web server that was the source of the malicious HTML injection: Morris and his team found another machine that was set up as a man-in-the middle in one of the labs subnets.
This [malware] was behaving very differently than anything else we had seen before, Morris says. It was calling out and pretending to be a router with the ARP (Address Resolution Protocol) protocol, he says. It basically informs the networks existing router that its a router, too, he says.
Unlike most Trojans that generate their own rogue traffic, Warp corrupts legitimate traffic. If you were to link to a Web page on the Net, like Google, it would corrupt the traffic coming back to you. So you get Google, plus an invisible iFrame that takes you to another malicious site, Morris says.
The victim doesnt see the malicious site, which basically uses a variety of exploits to infect his or her machine. You dont know youre redirected, he says.
ARP spoofing itself isnt new, but its rare for a Trojan to employ this technique to propagate itself, according to the researcher. Warp employs a seven-year-old Chinese hacking tool called ZXarps and dupes other computers on the network into believing its the router.
[ Remote VPN connections are not necessarily as secure as you’d think -- how enterprises can get infected by far-flung users via their SSL VPNs. See
VPN An Oft-Forgotten Attack Vector
. ]
HD Moore, chief security officer at Rapid7 and creator of Metasploit, says this type of attack has its advantages -- and disadvantages -- for the attacker. The advantage to using a layer-2 attack like ARP spoofing is that it can capture network credentials and target client-side applications like Web browsers as the traffic leaves the network. This attack has major downsides, however: When spoofing the router, there is a high likelihood that valid traffic will be dropped, and when spoofing internal machines, any network services on the target machine may be affected, not to mention any duplicate IP warnings, Moore says.
In most penetration testing engagements, ARP spoofing isnt allowed because its so risky. In most penetration tests, ARP spoofing is off the table due to the chance of breaking a production server or breaking outbound traffic for the local subnet, Moore notes.
The Warp attack actually begins with a Chinese adware Trojan called Paglst.b that gets installed on a vulnerable machine, typically via a Java or Adobe Reader exploit. Once this initial infection is set, it installs Warp onto the machine.
The key concern from a corporate standpoint is that this is tampering with the flow of network traffic. Even if machines are not being infected ... it is actively alerting the flow of data on their network, and that can lead to significant operational issues, Kindsights Morris says.
And if a Warp-infected computer is on the same network as a Web server, traffic from the Web server will contain the injected iFrame. That means anyone who visits that website server could get infected, even if they are outside the subnet.
The key to eradicating the infection is pinpointing the infected machine or machines. Thats the challenge. If you are one of the computers seeing this malicious URL, you are not sure where its coming from, Morris says. You have to track the MAC address of your router, and find the phony ones MAC address, too.
Kindsight has provided more technical detail, as well as code snippets, on the Warp Trojan
here
.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New Warp Trojan Poses As A Network Router