A new variant of the DNSChanger Trojan is appearing in DNS pharming attacks.
Once the malware, named Trojan.Flush.M by Symantec, infects a machine, it creates a rogue DHCP (Dynamic Host Configuration Protocol) server. DHCP is a protocol for assigning dynamic IP addresses to devices on a network. The compromised machine then sends bogus DHCP packets to other devices on the network when they request a new IP configuration.
It is a new move for the malware, which according to researchers at the SANS Internet Storm Center, has evolved from changing local DNS servers in the operating system to altering DNS server configurations in ADSL modems and routers.
As of late last week, the Trojan was not widely circulated, but is still notable due to the nature of the attack and the damage it could cause if successful.
“If the Trojan is fast enough in sending out these DHCP packets, with some luck it can modify the network configuration of other computers,” Symantec’s Elia Florio wrote in a blog post. “Since this is a race between the legit DHCP server and an infected machine running a rogue DHCP server, it all depends on luck and speed. We noticed that the attack is not always successful; sometimes the DHCP server packet arrives first and so everything goes fine.”
However, if the infected PC wins the race, it can use a DHCP offer command to instruct another computer on the network to route all DNS requests through a rogue DNS server. When the user logs onto the Internet with the non-infected computer, he or she can be redirected to rogue sites without their knowledge.
“Non-infected systems can alter between using approved DNS settings and rogue settings based on an infected system being on the LAN, and [there is] a random chance that the infected system will be able to ‘poison’ the DHCP offer,” wrote Craig Schmugar, threat researcher at McAfee, in a blog post.
To detect this attack, security researchers suggest administrators scan their traffic for bogus DHCP offer packets coming from a machine other than their DHCP server. According to SANS, the malware typically changes DNS server settings in the 85.255 network, and administrators should consider monitoring or blocking traffic to 85.255.112.0 – 85.255.127.255.