Even though having dropped out of the top 5, which is the first time since Dec 2007, W32.Dashfer still continues to pose a major threat to PC users in Vietnam. Last month, a large number of Vietnam Hosting Service Providers’s servers have face the problem of this virus. As a result, each time accessing to these servers, visitors would see some malicious iframe attached into websites’ content.
Acording to Bkis’s analysis, this situation is caused by some new variants of the W32.Dashfer virus. From one infected server, using Address Resolution Protocol (ARP), Dashfer send broadcast packets to all other servers in the same Local Area Network, and acting as the fake default gateway of the system. In this method, any traffic meant for the default gateway would be mistakenly sent to the infected server instead, which would modify the data before forwarding it (man-in-the-middle attack). More precisely, the websites hosted on these servers would have an malicious iframe attached to it before responding to the clients.
Acting sheme of W32.Dashfer inside infected web server system
Because of the fact that W32.Dashfer modifies the responses of all servers in the same area, the impact of it might be on a very large scale, and all visitors to websites hosted on these servers would encounter the specified problem. To solve this, HSPs should have their server system infrastructure redesigned to be protected against ARP poisoning attack within the LAN, and should apply an overall virus prevention solution as well.
Those happenings have appeared in almost all largest HSPs in Vietnam.