ARP spoofing for fun and profit

So we all know ARP poisoning / spoofing is really easy to do and it's not a new concept at all . . . but the miscreants appear to have finally figured out a way to make money using it. 
Check out this blog post from my buddy Neil Carpenter - who joined the PSS Security team shortly after I left . . . https://blogs.technet.com/neilcar/archive/2007/06/28/arp-cache-poisoning-incident.aspx

He's got a nice write-up on some new malware the team came across a while back . .  the malware once resident on a 'patient 0' machine starts ARP'ing as the default gateway, enticing all the packets on the subnet to travel through it . . . it would then inject an IFRAME into the HTTP response packets going back to the various clients on the subnet.  The injected IFRAME would of course point to some javascript on a remote malicious web server that would then exploit the ANI vuln to get code exec and start the process of making money for bad guys.

Related to the 'Italian Job' that I failed to blog about last week?  Probably not - those servers definitely appear to have been auto-pwn3d (i.e. the actual web pages on the server were modified and the IFRAME was injected there) . . . but still - one can only imagine that this type of malware will become more prevalant in the future . . .

Oh - and those 'Italian Job' web servers all seemed to have one thing in common . . . Apache . . .