Recently, some of my colleagues in TrendLabs have been talking about a disturbingly low-level attack method called TCP Hijacking (attack independently documented here). In addition to that, I also saw a slightly different low-level attack confirmed this morning on SANS ISC Diary (and they call those attacks “massive”).
These are both examples of a man-in-the-middle attack. In the SANS Diary example a malicious or compromised computer, on a network where one or more web servers are hosted, uses a technique called ARP spoofing to fool those other servers that it itself, is the network gateway. That means that all information leaving that network must first pass through the compromised or malicious computer. In the TCP Hijacking example, a machine somewhere on the path between the browser and the destination web server is compromised and quite literally hijacks the connnection between the two.
What does that mean to you, the internet users? Well, in a nutshell, this: If you visit a web site that is hosted in a network where this kind of ARP spoofing attack is taking place, the attacker can add extra code to every web page you view. This happens because the attacker receives all of the responses from the web server, modifies them and then sends them on to you. If you fall victim to TCP Hijacking, then the compromised machine is able to redirect your web browser to sites hosting malicious code.
It is very difficult for the web site owner or potential victim to know that this kind of attack is taking place, as their own machines have not been infected at all and the availability of their servers is not affected. The only ways they can see what is happening would be to inspect the actual network traffic, or view the ARP caches on their web servers, something that would not normally be an every day practice.
These attack methods are already out there in the wild and we have seen them redirecting to web pages designed to exploit the MS09-002 vulnerability in Windows Internet Explorer 7. A patch for this issue has been available from Microsoft since Febrtuary 10th.
I would urge you all to make sure that all your installed software is up-to-date, web browsers, operating systems and of course any additonal applications you may have installed, particularly those that interact with the web or web browser (browser plug-ins such as Adobe Flash or Apple QuickTime for example). Personally, I use the free edition of Secunia Personal Software Inspector which lets me know of any applications in need of patching on my PC.
Also of course make sure that your desktop anti-malware solution is always on and always up-to-date.