New DNS trojan taints entire LAN from single box
One 'sploit pwns all
Internet security experts are warning of a new rash of malware attacks that can hijack the security settings of a wide variety of devices on a local area network, even when they are hardened or don't run on Windows operating systems.
Once activated, the trojan sets up a rogue DHCP, or dynamic host configuration protocol, server on the host machine. From there, other devices using the same LAN are tricked into using a malicious domain name system server, instead of the one set up by the network administrator. The rogue DNS server sends the devices to fraudulent websites that in many cases can be hard to identify as impostors.
A new variant of Trojan.Flush.M is making the rounds, Johannes Ullrich, CTO of the SANS Internet Storm Center warns here. It offers several improvements over its predecessor, which was discovered in early December. Among other changes, the new strain no longer specifies a DNS domain name, making the rogue DHCP server harder to detect.
"This kind of malware is definitely dangerous because it affects systems that themselves are not vulnerable" to the trojan, Ullrich told The Register. "So all you need is one system infected in the network and it will affect a lot of other nonvulnerable systems."
Of course, one way to thwart the attack is to hardwire DNS server settings into your iPhone, computer or other net-connecting device. This will direct it to bypass the rogue DNS server even if the device is unfortunate enough to get its internet connection from the impostor DHCP server.
Such countermeasures are impractical for networks with thousands of machines, so Ullrich recommends administrators monitor connections to all DNS servers other then the one that's approved for the network. A third choice is to blacklist 184.108.40.206 and 220.127.116.11, which are the DNS servers used by the most recent variant. This is the least effective measure, since future variants will surely tap new IP addresses. ®
Protect the PCs Better
I'm not much of a network wonk anymore. I'm into endpoint security issues these days. So, in addition to the network remedies suggested above (oh and I would like to see digitally signed DNS), we need to do a better job of protecting PCs, which are far too vulnerable with their typical defenses. I seem to rant a lot about this on www.securitynowblog.com If interested, a couple of posts:
We cannot trust the software that runs on our PCs: http://www.securitynowblog.com/endpoint_security/computer-software-hijacked-malware-attack-steal
And this one about signature-based defense limitations:
In smaller organizations, PCs are disturbingly vulnerable.
...there was some service that provide free, open DNS resolution that you could point all your personal machines to, even when traveling.
Oh wait, there is.
an interesting conumndrum
@ 2 thoughts
yes, you do indeed have to authorise a dhcp server in 2003, but from experience, this doesn't prevent a rogue dhcp server getting in. It just prevents the DHCP server from communicating with Active Directory and the internal DNS (That's how DNS updates its dynamic FQDN list).
We had a rather dumb art teacher in the school I used to work at, and periodically, he would hard reset his mac WAPs, thus re-enabling the built-in DHCP server.
Aside from requiring a damn good slap for throwing money away on Mac WAPs, (I can pay 3 times the going rate for half the features? Where's my wallet?!?!) realistically, rogue DHCP detection is the only practical solution, but quite a job if you have multiple sites.
I'm currently setting up SCCM 2007, which can make extensive use of WOL, and Intels AMT tech for Out Of Bounds management. Basically, it can power on a machine, and gain BIOS level control.
It requires a PKI SSL certificate installing amongst other things due to the security implications, so I'll be interested to see what other traffic security benefits can be gleaned