Has Your Network been “Warped”?

07/11/2012
posted in:

The Warp Trojan demonstrates a bold new method by which malware writers are forcing computers to visit their exploit sites on the Internet and recruit those systems into their army of compromised machines. Warp does this by becoming a network middleman, arranging for all local network traffic to flow through it, and then injecting a malicious URL into any passing web traffic.

This Trojan is particularly stealthy in that the injected HTML code is not obvious to the recipient of the compromised web page and should it be discovered, one would more likely conclude that the web-server itself was compromised, not that the flow of network traffic between the computers has been “Warped”. Finding the true source of that URL injection, the middle-man, on a larger network requires a network sniffer and the ability to identify the offending machine by its MAC address.

The Discovery

I was recently visiting a trusted website and noticed that a key element of it was not resolving properly. Upon investigation of the underlying HTML code sent to my browser, I noted the inclusion of an IFRAME tag that just did not belong.

Warp Trojan iFrame

Thinking that the webserver had been hacked, we conducted a quick forensic analysis of it and restored the entire system to a trusted state with the original installation media. When that failed to resolve the apparent issue with the website, we performed a quick review of the network traffic of both computers, the server and my desktop, and were able to identify the culprit. The source of the HTML injection was not the desktop or server but rather a third computer that managed to make itself a network middle-man on one of our subnets. Removing that infected system from the network quickly resolved the issue.

The Investigation

When a computer visits the injected URL, a series of javascripts will check to see if the web browser is vulnerable to a Java or Flash exploit.  If it is, it will use these exploits to download the Chinese Adware trojan TrojanDownloader:Win32/Paglst.B (md5: 5060ab2e6fd527c5d99ed24f7bcce5ad).  This trojan then goes on to download additional badness to the infected computer, including a rootkit to keep the computer infected, and the Warp trojan (md5: 97b32489c59572844dd668ddb79d5479) to spread the original trojan to other computers.

Warp gains its middleman position by using the Address Resolution Protocol (ARP) to convince other computers that it is the subnet’s router and convince the router that it is all the other computers on the network.  Warp accomplishes this task by leveraging a 7 year old Chinese hacking tool called ZXarps to do the hard work. 

The Warp executable stores a copy of ZXarps (md5: 1f1f73ea53fee2470603c7fa21767b92) in the location C:DOCUME~1ADMINI~1LOCALS~1Temp(number).tmp. It also contains several standard DLLs and a kernel driver that are required by ZXarps.  

As its first step, Warp (in this case running on 192.168.10.100  with a MAC address Universa_6e:7a:d6)  uses broadcast ARP requests to sequentially ask who currently has each IP address on the subnet.

Warp Trojan ARP

Then for each IP address that it finds to be “alive”, Warp uses unsolicited ARP replies to tell the router (D-Link_ed in the sample below) that its machine is hosting that IP address and tells the true owner of that IP address (Hewlett-_2)  that it is hosting the router’s IP address.  It repeats this for each IP address every 3 seconds.

Warp Trojan ARP change

In so doing, Warp alters the standard flow of traffic on a subnet:

Warp Trojan traffic flow

and changes it so that all the traffic on the subnet now flows through it:

Warp Trojan traffic flow altered

Warp then exploits its newfound popularity as a network middleman to manipulate the web traffic (port TCP/80) flowing through it, by injecting malicious HTML code.  When the victim computer requests an Internet web page, instead of getting the expected HTML web page content:

Warp Trojan HTML

It now gets an extra IFRAME prefixing the expected content, the intent of which is to take over the other computers on our network to the original malicious website in an attempt to compromise them as well.

Warp Trojan HTML iFrame

This can present a significant threat in an office environment or even a home network with multiple devices. For example, if someone brings an infected laptop to work, any co-workers sharing the same subnet as the infected laptop will get the injected IFRAME and be at risk of infection.  

Although this specific example shows the effect Warp has on the other computers sharing its subnet, it is also important to note that this HTML injection is bi-directional.  If a computer infected with Warp is on the same subnet as a web server, all traffic from that web server will contain the injected IFRAME, putting anyone who visits that web server at risk.   As such, Warp can also pose a significant risk to machines outside its immediate subnet as well.

Warp Trojan traffic flow web server

Conclusion

Warp reminds us that any infected computer on a network can pose a clear and present danger to other computers and to network operations.  To avoid infection, it is necessary to ensure that both the operating system and its software, such as Java and Adobe Flash, are kept up to date.  It is also necessary to ensure that your computers are running an anti-virus product to detect and remove threats such as Warp.

By John Morris, Kindsight Security Labs

Share