Has Your Network been “Warped”?
The Warp Trojan demonstrates a bold new method by which malware writers are forcing computers to visit their exploit sites on the Internet and recruit those systems into their army of compromised machines. Warp does this by becoming a network middleman, arranging for all local network traffic to flow through it, and then injecting a malicious URL into any passing web traffic.
This Trojan is particularly stealthy in that the injected HTML code is not obvious to the recipient of the compromised web page and should it be discovered, one would more likely conclude that the web-server itself was compromised, not that the flow of network traffic between the computers has been “Warped”. Finding the true source of that URL injection, the middle-man, on a larger network requires a network sniffer and the ability to identify the offending machine by its MAC address.
I was recently visiting a trusted website and noticed that a key element of it was not resolving properly. Upon investigation of the underlying HTML code sent to my browser, I noted the inclusion of an IFRAME tag that just did not belong.
Thinking that the webserver had been hacked, we conducted a quick forensic analysis of it and restored the entire system to a trusted state with the original installation media. When that failed to resolve the apparent issue with the website, we performed a quick review of the network traffic of both computers, the server and my desktop, and were able to identify the culprit. The source of the HTML injection was not the desktop or server but rather a third computer that managed to make itself a network middle-man on one of our subnets. Removing that infected system from the network quickly resolved the issue.
Warp gains its middleman position by using the Address Resolution Protocol (ARP) to convince other computers that it is the subnet’s router and convince the router that it is all the other computers on the network. Warp accomplishes this task by leveraging a 7 year old Chinese hacking tool called ZXarps to do the hard work.
The Warp executable stores a copy of ZXarps (md5: 1f1f73ea53fee2470603c7fa21767b92) in the location C:DOCUME~1ADMINI~1LOCALS~1Temp(number).tmp. It also contains several standard DLLs and a kernel driver that are required by ZXarps.
As its first step, Warp (in this case running on 192.168.10.100 with a MAC address Universa_6e:7a:d6) uses broadcast ARP requests to sequentially ask who currently has each IP address on the subnet.
Then for each IP address that it finds to be “alive”, Warp uses unsolicited ARP replies to tell the router (D-Link_ed in the sample below) that its machine is hosting that IP address and tells the true owner of that IP address (Hewlett-_2) that it is hosting the router’s IP address. It repeats this for each IP address every 3 seconds.
In so doing, Warp alters the standard flow of traffic on a subnet:
and changes it so that all the traffic on the subnet now flows through it:
Warp then exploits its newfound popularity as a network middleman to manipulate the web traffic (port TCP/80) flowing through it, by injecting malicious HTML code. When the victim computer requests an Internet web page, instead of getting the expected HTML web page content:
It now gets an extra IFRAME prefixing the expected content, the intent of which is to take over the other computers on our network to the original malicious website in an attempt to compromise them as well.
This can present a significant threat in an office environment or even a home network with multiple devices. For example, if someone brings an infected laptop to work, any co-workers sharing the same subnet as the infected laptop will get the injected IFRAME and be at risk of infection.
Although this specific example shows the effect Warp has on the other computers sharing its subnet, it is also important to note that this HTML injection is bi-directional. If a computer infected with Warp is on the same subnet as a web server, all traffic from that web server will contain the injected IFRAME, putting anyone who visits that web server at risk. As such, Warp can also pose a significant risk to machines outside its immediate subnet as well.
Warp reminds us that any infected computer on a network can pose a clear and present danger to other computers and to network operations. To avoid infection, it is necessary to ensure that both the operating system and its software, such as Java and Adobe Flash, are kept up to date. It is also necessary to ensure that your computers are running an anti-virus product to detect and remove threats such as Warp.
By John Morris, Kindsight Security Labs