.

New Version of DNS-Changing Malware Detected

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Dec 16, 2008 10:40 am

New Version of DNS-Changing Malware Detected


A new twist in DNS-changing malware poisons other hosts on a local subnet, and installs a rogue DHCP server.

In a blog posting, JM Hipolito, technical communications spokesperson at Trend Micro, explained that once the malware was installed, "The system is turned into a DHCP server that monitors traffic and intercepts request packets from other computers in the network. It then replies to intercepted requests with packets containing malicious DNS servers. This causes the recipients of the malicious packets to be redirected to malicious sites without their consent."

Researchers at the SANS Internet Storm Center said that the technique does not have a 100 percent success rate.

In his blog posting, SANS Handler Bojan Zdrnja said, "While not too sophisticated, the whole attack is very interesting. First, it's about a race between the rogue DHCP server and the legitimate one. Second, once a machine has been poisoned it is impossible to detect how it actually got poisoned in the first place."

Trend Micro Advanced Threats Researcher Feike Hacquebord claimed that as the malware works, advertisements placed in websites are replaced with other advertisements that connect to the IP addresses used by cybercriminals.

Also, once a user clicks one of these targeted ads and gets connected to the cybercriminals' crafted site, any personal information they enter into the site can be leaked to this scheme's perpetrator. Hacquebord claimed that the estimated number of victims by this kind of threat have reached more than a million for November alone.



Original story:
http://www.scmagazineus.com/New-version ... le/122800/

Don
CISSP, MCSE, CSTA, Security+ SME
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Thu Mar 03, 2011 7:16 pm

Re: New Version of DNS-Changing Malware Detected

I was going to send this in as a resource but the topic of rogue dhcp servers hits close to home. In addition to this type of malware, a frequent problem at university housing is students bringing in wireless routers and connecting them to the LAN incorrectly causing their new wireless router to start handing out IP addresses via dhcp. A solution we have found is by using dhcdrop. It's in the net-mgnt ports for FreeBSD. What it does is send out dhcp discover packets. If it gets a response from a server that is not legitimate then it sucks up all the address space the rogue router will hand out, rendering it harmless to other users.

Good times..... 
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Mon May 09, 2011 10:23 pm

Re: New Version of DNS-Changing Malware Detected

I don't know that there would be much interest in Rogue DHCP servers here but I did a video for dhcdrop that can be found here in case someone else has run into the problem:
http://www.securitytube.net/video/1840
ISC2 Associate, WCNA, CWNA, OSCP, Network+

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software