Even security groups are not immune to malware writers: the Chinese Internet Security Response Team (CISRT) has apologised for occasionally serving up malicious code to visitors to its Web site.
"We are very sorry that when sometimes visiting our ... pages, malicious codes are inserted," CISRT posted on its English-language Web site.
A short line of malicious code placed at the top of some of its Web pages can result in browsers being directed to sites housing malware. Should users visit an infected page, a 37 KB size file "sms.exe" will be downloaded to the sites, which antivirus company Kaspersky has identified as Trojan-Downloader.Win32.Baser.w.
The attack exploits buffer overflow vulnerabilities in the Chinese-developed browser-based media player, BaoFeng Storm. Symantec's antivirus centre warned that BaoFeng Storm's ActiveX control is "prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied data."
CISRT believes its Web site is not necessarily compromised, but has rather come under an "ARP" attack, sometimes referred to as ARP poisoning or spoofing.
Patrik Runald from Finnish security firm, F-Secure, said that it is unusual for a security response team's Web site to be hacked like this, but that if it is indeed an ARP attack, it uses a very complicated method.
"It's not really easy to make happen. When a computer makes a request somewhere [on the network], they use the ARP number which is sometimes called a MAC ID. The bottom line is if you can spoof an ARP you can insert yourself between a client and server -- for example at the gateway.
"If you're on an internal network, you can spoof an ARP packet so that any machine wanting to connect to a Web site will be routed to a malicious machine. From here you can insert an iFrame line and it would only affect people going through that gateway."
Australian-based security firm, Sunnet Beskerming, which first reported the attack, wrote that by intermittently serving the malicious iFrame, the attacker can extend the life of a hack by making it harder to isolate and investigate.
"With intermittent attacks on visitors it also means that investigators need to look at all of the intermediate connections between site visitors and the Web site," Sunnet Beskerming reported.
