http://www.kindsight.net/en/blog/2012/07/11/has-network-been-warped [Thanls to TD for providing the link]
The Warp Trojan demonstrates a bold new method by which malware writers are forcing computers to visit their exploit sites on the Internet and recruit those systems into their army of compromised machines. Warp does this by becoming a network middleman, arranging for all local network traffic to flow through it, and then injecting a malicious URL into any passing web traffic. This Trojan is particularly stealthy in that the injected HTML code is not obvious to the recipient of the compromised web page and should it be discovered, one would more likely conclude that the web-server itself was compromised, not that the flow of network traffic between the computers has been “Warped”. Finding the true source of that URL injection, the middle-man, on a larger network requires a network sniffer and the ability to identify the offending machine by its MAC address. THE DISCOVERY I was recently visiting a trusted website and noticed that a key element of it was not resolving properly. Upon investigation of the underlying HTML code sent to my browser, I noted the inclusion of an IFRAME tag that just did not belong. [Image Removed] Thinking that the webserver had been hacked, we conducted a quick forensic analysis of it and restored the entire system to a trusted state with the original installation media. When that failed to resolve the apparent issue with the website, we performed a quick review of the network traffic of both computers, the server and my desktop, and were able to identify the culprit. The source of the HTML injection was not the desktop or server but rather a third computer that managed to make itself a network middle-man on one of our subnets. Removing that infected system from the network quickly resolved the issue. ... _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.