Feeds

New DNS trojan taints entire LAN from single box

One 'sploit pwns all

The essential guide to IT transformation

Internet security experts are warning of a new rash of malware attacks that can hijack the security settings of a wide variety of devices on a local area network, even when they are hardened or don't run on Windows operating systems.

Once activated, the trojan sets up a rogue DHCP, or dynamic host configuration protocol, server on the host machine. From there, other devices using the same LAN are tricked into using a malicious domain name system server, instead of the one set up by the network administrator. The rogue DNS server sends the devices to fraudulent websites that in many cases can be hard to identify as impostors.

A new variant of Trojan.Flush.M is making the rounds, Johannes Ullrich, CTO of the SANS Internet Storm Center warns here. It offers several improvements over its predecessor, which was discovered in early December. Among other changes, the new strain no longer specifies a DNS domain name, making the rogue DHCP server harder to detect.

"This kind of malware is definitely dangerous because it affects systems that themselves are not vulnerable" to the trojan, Ullrich told The Register. "So all you need is one system infected in the network and it will affect a lot of other nonvulnerable systems."

Of course, one way to thwart the attack is to hardwire DNS server settings into your iPhone, computer or other net-connecting device. This will direct it to bypass the rogue DNS server even if the device is unfortunate enough to get its internet connection from the impostor DHCP server.

Such countermeasures are impractical for networks with thousands of machines, so Ullrich recommends administrators monitor connections to all DNS servers other then the one that's approved for the network. A third choice is to blacklist 64.86.133.51 and 63.243.173.162, which are the DNS servers used by the most recent variant. This is the least effective measure, since future variants will surely tap new IP addresses. ®

Next gen security for virtualised datacentres

More from The Register

next story
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Linux kernel devs made to finger their dongles before contributing code
Two-factor auth enabled for Kernel.org repositories
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.