Posted on February 29, 2016 by CELO NET
Chinese ISPs Caught Injecting Ads and Malware into Web Pages
China has gained a considerable global attention when it comes to their Internet policies in the past years; whether it’s introducing its own search engine dubbed “Baidu,” Great Firewall of China, its homebrew China Operating System (COP) and many more.
Along with the developments, China has long been criticized for suspected backdoors in its products: Xiaomi and Star N9500 smartphones are top examples.
Now, Chinese Internet Service Providers (ISPs) have been caught red-handed for injecting Advertisements as well as Malware through their network traffic.
Three Israeli researchers uncovered that the major Chinese-based ISPs named China Telecom and China Unicom, two of Asia’s largest network operators, have been engaged in an illegal practice of content injection in network traffic.
Chinese ISPs had set up many proxy servers to pollute the client’s network traffic not only with insignificant advertisements but also malware links, in some cases, inside the websites they visit.
If an Internet user tries to access a domain that resides under these Chinese ISPs, the forged packet redirects the user’s browser to parse the rogue network routes. As a result, the client’s legitimate traffic will be redirected to malicious sites/ads, benefiting the ISPs.
Here’s How Malware and Ads are Injected
In the research paper titled ‘Website-Targeted False Content Injection by Network Operators,’ the Israeli researchers wrote that the tactic has now expanded to core ISPs – the Internet companies that interconnect edge ISPs with the rest of the ISPs globally.
These ISPs have set up specialized servers that monitor network traffic for specific URLs and move to alter it, no matter the end users are their customers or not.
Methods of Injection: Various methods had been adopted by ISPs to infiltrate the legitimate traffic. Some of them are:
[bold]1- Out of Band TCP Injection[/bold]
Unlike in the past when ISPs modified network packages to inject ads, the network operators send the forged packets without dropping the legitimate ones.
Interestingly, instead of interception or rewriting of network packets, cloning of HTTP response packets had been adopted by ISPs to replicate the infection. The ISP clones the legitimate traffic, modifies the clone, and then sends both packets to the desired destination.
So ultimately, there are 2 packet responses generated for a single request. Hence, there is a chance of forged packet to win the race, while legit packet reaches at last.
Since the cloned traffic will not always arrive at the end users before the legitimate one, the injected traffic is harder to detect.
But a serious analysis with netsniff-ng would knock out the fake packets.
[bold]2) HTTP Injection[/bold]
HTTP is a stateless client-server protocol that uses TCP as its transport. As TCP only accepts the initial packet upon its receival and discards the second, there is a chance to receive the fake packet in first place; if infection had been taken place.
Here, the user might get a response with HTTP Status Number 302 (Redirection) instead of HTTP Status Number 200 (OK) and would be re-routed to the other non-
legit links.
How to Identify Rogue Packets?
1) IP Identification
IP identification value does contains a counter that is sequentially incremented after each sent the packet.
The forged packet returns soon after making a request that masquerades as a legit packet. But the time stamp in each packet would provide enough evidence to eliminate the rogue packet.
The forged packet is the one that has the largest absolute difference between its identification value and the average of the identification values of all the other packets
[bold]2) TTL (Total Time to Live)[/bold]
Each received packet contains an initial value set by sender that calculates the number of hops covered by the packet during the transmission.
If packet is received with different number of hop counts, then it would clearly draws a line between the legit and illegit ones.
The forged packet is the one that has the largest absolute difference between its TTL value and the average of TTL values of all the other packets
[bold]3) Timing Analysis[/bold]
Time stamp in the packet captured by the monitoring systems at the entrance to the Edge network would figure out the genuinity.
The data packet with apparent time close proximity would differentiate the legitimate packets from the forged packets with unmatched arrival time.