One infected system on the network is all it takes

Mar 17, 2009 09:29 GMT  ·  By

Security researchers warn that a new variant of the infamous DNSChanger trojan has been detected in the wild. UDP broadcasting has been improved and anti-detection measures have been implemented.

The DNSChanger family of trojans has a long history behind it, but while it is based on the same core concept, forcing the systems to use DNS servers under the control of the attackers, the techniques to achieve this have evolved over time.

This is a serious security risk, because since DNS servers are used to resolve host names to IP addresses, this implies that an attacker controlling one can direct requests to legit websites to malicious-cloned versions of them.

For example, cybercrooks are using fake YouTube look-alike pages in order to trick users into downloading installers for rogue security applications (scareware). These are usually served as fake Flash Player upgrades or required video codecs. Being able to actually direct legit requests for youtube.com to such pages would significantly increase the success rate of these illegal income-generating schemes.

In December, a DNSChanger variant, identified as Trojan.Flush.M, upped the stakes when it employed a new technique able to poison the DNS requests of clean computers located on the same network as the infected one. It achieved this by installing its own DHCP server that intercepted DHCPDISCOVER packets flowing through the network. Once such a packet was intercepted, it responded with others containing fake configuration settings, including rogue DNS servers.

Johannes Ullrich, CTO of the SANS Internet Storm Center (ISC), cautions that a new improved version of Trojan.Flush.M is currently making the rounds. In comparison with its predecessor, the new trojan has changed the DHCP lease time to one hour, sets the BootP Broadcast bit and the destination MAC address is set to the broadcast address instead of the DHCP client MAC. All this has the purpose of enhancing the broadcasting capabilities.

It is notable that this technique does not only hijack DHCP requests coming from computer systems, but also from any DHCP-enabled hardware, such as smart mobile phones and other handheld devices. In addition to better broadcasting, the new Flush variant no longer specifies a DNS Domain Name, making it harder for the network admins to pinpoint the infected systems.

"Monitor connections to DNS servers other then the approved one pushed out by your DHCP server. This should help you spot this kind of malware," Mr. Ullrich recommends. Blocking the IP addresses of the rogue DNS servers, 64.86.133.51 and 63.243.173.162, could also help, but only in the short term, as they could change at any time.