Skip to content

Security

Ads and malware apparently being injected into traffic from China via major network infrastructure providers

Three Israeli researchers claim to have uncovered evidence of traffic injection – including malware – taking place at the infrastructural level of network connectivity, rather than via edge ISPs who are merely leasing line space. The primary originators of the attacks appear to be China Telecom and China Unicom, two of Asia’s largest network operators.

In the paper Website-Targeted False Content Injection by Network Operators [PDF], Gabi Nakibly, Jaime Schcolnik, and Yossi Rubin outline several months spent analysing bidirectional http traffic captured by the netsniff-ng toolkit, and their discovery of packet injection relating to ads and malware. Interestingly the technique they saw in use, Out-of-band TCP Injection, did not involve interception and rewriting of the network packets, but rather cloning, wherein the actor replicates and adulterates a network packet and then sends it on ahead of the original packet:

‘Our study is based on the observation that the forged traffic is injected in an out-of-band manner: the network operators do not update the network packets in-path, but rather send the forged packets without dropping the legitimate ones. This creates a race between the forged and the legitimate packets as they arrive to the end user. This race can be identified and analyzed. Our analysis shows that the main purpose of content injection is to increase the network operators’ revenue by inserting advertisements to websites. Nonetheless, surprisingly, we have also observed numerous cases of injected malicious content.’

The researchers note that the use of https, presumably at a reasonably strong level of encryption, precludes the kind of attacks detailed in the paper. They emphasise also that the injections do not originate at the level of ISPs, who are merely occupying infrastructure space, and who may have a history of trying to monetise their users’ traffic by interjecting ads into it.


Join The Stack in September for a look at the latest Pharma Tech - at the largest gathering of industry professionals in Europe.

china-network-injection-pathologyThough advertisement injection predominates in the cases studied, approximately 40% of the injection attempts involved the placement of JavaScript-based malware. In one case an attack injected a JavaScript that appends content to the domain wa.kuwo.cn, and another prompted a download of an executable file. In one case the domain registered to Gambling Portal Webmasters Association (www.gpwa.org) was subject to forged content by the similarly-named but otherwise empty domain qpwa.org, registered in Romania.

The paper describes the process of forging a TCP segment over an unencrypted connection as ‘trivial’, and the study involved analysis of 1.5 petabytes of data and 1.5 million IP addresses.

The implications of the study, if true, are significant, in that interception and packet-replication is taking place at an infrastructural level, the highest available vantage point on any network.




Related Articles

  • The Stack presentsPharmaTechImages

    The Stack invites you to join us at The Pharmacy Show on the 25th and 26th of September at the NEC Birmingham, to preview the latest innovations in pharmaceutical technology.

    The show’s massive roster of world class speakers, attendees and delegates are available exclusively to healthcare professionals, making this an unmissable opportunity to gain access to some of the busiest and most influential people in the industry, together with more than 400 UK and international suppliers. Registration is free – click here to find out more


    pharmacyShow   MEDIAPARTNERS2a   SUPPORTEDBY2