Symantec, McAfee Researchers See New Trojan in DNS Pharming Attacks
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Symantec, McAfee Researchers See New Trojan in DNS Pharming Attacks

Written By
Brian Prince
Brian Prince
Dec 8, 2008
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A new variant of the DNSChanger Trojan is appearing in DNS pharming attacks.
Once the malware, named Trojan.Flush.M by Symantec, infects a machine, it creates a rogue DHCP (Dynamic Host Configuration Protocol) server. DHCP is a protocol for assigning dynamic IP addresses to devices on a network. The compromised machine then sends bogus DHCP packets to other devices on the network when they request a new IP configuration.

It is a new move for the malware, which according to researchers at the SANS Internet Storm Center, has evolved from changing local DNS servers in the operating system to altering DNS server configurations in ADSL modems and routers.

As of late last week, the Trojan was not widely circulated, but is still notable due to the nature of the attack and the damage it could cause if successful.
“If the Trojan is fast enough in sending out these DHCP packets, with some luck it can modify the network configuration of other computers,” Symantec’s Elia Florio wrote in a blog post. “Since this is a race between the legit DHCP server and an infected machine running a rogue DHCP server, it all depends on luck and speed. We noticed that the attack is not always successful; sometimes the DHCP server packet arrives first and so everything goes fine.”

However, if the infected PC wins the race, it can use a DHCP offer command to instruct another computer on the network to route all DNS requests through a rogue DNS server. When the user logs onto the Internet with the non-infected computer, he or she can be redirected to rogue sites without their knowledge.

“Non-infected systems can alter between using approved DNS settings and rogue settings based on an infected system being on the LAN, and [there is] a random chance that the infected system will be able to ‘poison’ the DHCP offer,” wrote Craig Schmugar, threat researcher at McAfee, in a blog post.
To detect this attack, security researchers suggest administrators scan their traffic for bogus DHCP offer packets coming from a machine other than their DHCP server. According to SANS, the malware typically changes DNS server settings in the 85.255 network, and administrators should consider monitoring or blocking traffic to 85.255.112.0 – 85.255.127.255.
Brian Prince
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information