The Register® — Biting the hand that feeds IT

Feeds

New DNS trojan taints entire LAN from single box

One 'sploit pwns all

By Dan Goodin, 16th March 2009
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Internet security experts are warning of a new rash of malware attacks that can hijack the security settings of a wide variety of devices on a local area network, even when they are hardened or don't run on Windows operating systems.

Once activated, the trojan sets up a rogue DHCP, or dynamic host configuration protocol, server on the host machine. From there, other devices using the same LAN are tricked into using a malicious domain name system server, instead of the one set up by the network administrator. The rogue DNS server sends the devices to fraudulent websites that in many cases can be hard to identify as impostors.

A new variant of Trojan.Flush.M is making the rounds, Johannes Ullrich, CTO of the SANS Internet Storm Center warns here. It offers several improvements over its predecessor, which was discovered in early December. Among other changes, the new strain no longer specifies a DNS domain name, making the rogue DHCP server harder to detect.

"This kind of malware is definitely dangerous because it affects systems that themselves are not vulnerable" to the trojan, Ullrich told The Register. "So all you need is one system infected in the network and it will affect a lot of other nonvulnerable systems."

Of course, one way to thwart the attack is to hardwire DNS server settings into your iPhone, computer or other net-connecting device. This will direct it to bypass the rogue DNS server even if the device is unfortunate enough to get its internet connection from the impostor DHCP server.

Such countermeasures are impractical for networks with thousands of machines, so Ullrich recommends administrators monitor connections to all DNS servers other then the one that's approved for the network. A third choice is to blacklist 64.86.133.51 and 63.243.173.162, which are the DNS servers used by the most recent variant. This is the least effective measure, since future variants will surely tap new IP addresses. ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (17)
Latest Comments
Eirik Iverson

Protect the PCs Better

I'm not much of a network wonk anymore. I'm into endpoint security issues these days. So, in addition to the network remedies suggested above (oh and I would like to see digitally signed DNS), we need to do a better job of protecting PCs, which are far too vulnerable with their typical defenses. I seem to rant a lot about this on www.securitynowblog.com If interested, a couple of posts:

We cannot trust the software that runs on our PCs: http://www.securitynowblog.com/endpoint_security/computer-software-hijacked-malware-attack-steal

And this one about signature-based defense limitations:

http://www.securitynowblog.com/endpoint_security/secunia_report_signature-based_antivirus_misses_most_unknown_malware

In smaller organizations, PCs are disturbingly vulnerable.

- Eirik

0
0
John Werner

If only...

...there was some service that provide free, open DNS resolution that you could point all your personal machines to, even when traveling.

Oh wait, there is.

- John

0
0
Psymon

an interesting conumndrum

@ 2 thoughts

yes, you do indeed have to authorise a dhcp server in 2003, but from experience, this doesn't prevent a rogue dhcp server getting in. It just prevents the DHCP server from communicating with Active Directory and the internal DNS (That's how DNS updates its dynamic FQDN list).

We had a rather dumb art teacher in the school I used to work at, and periodically, he would hard reset his mac WAPs, thus re-enabling the built-in DHCP server.

Aside from requiring a damn good slap for throwing money away on Mac WAPs, (I can pay 3 times the going rate for half the features? Where's my wallet?!?!) realistically, rogue DHCP detection is the only practical solution, but quite a job if you have multiple sites.

I'm currently setting up SCCM 2007, which can make extensive use of WOL, and Intels AMT tech for Out Of Bounds management. Basically, it can power on a machine, and gain BIOS level control.

It requires a PKI SSL certificate installing amongst other things due to the security implications, so I'll be interested to see what other traffic security benefits can be gleaned

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
133
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
59
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15