A Trojan which Trend Micro detects as TROJ_DELF.BRK uses ARP poisoning as its payload. This Trojan drops two files, a dynamic link library (DLL) and a driver file. The driver file is needed by the malware in order to interact with the affected users NIC card.
Thus, when all traffic is redirected to the affected machine, a possible man-in-the-middle attack can take place. In the man-in-the-middle attack, stealing sensitive information such as usernames and passwords is possible. Another effect of the scenario is the Denial of Service to the other hosts found in the network whose traffic is being redirected to the affected machine.
Another possibility is sniffing network traffic which includes switch-based networks. Even though the switched network was designed to direct traffic to a particular host, sending heavy amount of ARP packets to the switch will force it to operate in “fail-safe mode” which operates like a hub. As we know, hubs send out packets to all hosts in the network and sniffing of traffic is easy.
This technique of ARP poisoning which was also used by PE_SNOW.A for Distributed Denial of Service detected back in January 2006 is being used by malware authors to gain their motives. And malwares will continue to “evolve” to circumvent security applied in the network and its hosts. Lastly, always update your antivirus pattern files to be secured from new malwares emerging from the internet.
References: