14 DAY TRIAL // A new type of attack that compromises the DNS settings of networked computers is being used in a recent variant of an older trojan. According to malware analysts from Symantec, the trojan registers a new service on the infected systems that is able to serve fake DNS entries to DHCP clients on the network.
Several malicious applications have relied on compromising the DNS settings on computers during the past few years. They include wide-spread trojans from the Zlob family, and affect both Windows and Macintosh operating systems. “The DNSChanger/Puper/Zlob gang has been very successful, infecting millions of PCs during the last couple of years. This gang typically uses strong social engineering to entice victims into installing the malware,” explains Dan Sommer on the McAfee Avert Labs blog.
There are several techniques that these applications use in order to compromise the DNS servers registered for the infected computers. One of the oldest tactics involves altering the Windows Hosts file and actually overriding legit responses. The DNSChanger trojan, which is also known as Trojan.Flush, dropped this approach and started altering the DNS entries entirely, replacing them with fake ones pointing to servers controlled by the attackers.
This was achieved by modifying the registry entries and gave the cyber-criminals more freedom to change the malware distribution hosts that were served, because it was a lot easier to modify the settings in one server, than having to update the hosts files in every compromised system. Other newer variants integrate CSRF (cross-site request forgery) exploits in order to compromise the network routers directly.
With the new Trojan.Flush.M variant discovered by Symantec on December 3, 2008, the core thinking to DNS altering seems to have shifted again. The trojan now makes use of a legit file, ndisprot.sys, the ArcNet NDIS Protocol Driver, in order to set up a fake DHCP server on the compromised system. This is registered as a service on the machine, and intercepts DHCPDISCOVER packets from the computers on the network.
The rogue DHCP server responds to legit requests with packets containing malicious DNS servers from the 85.255.112.0/20 block. This is an IP range known for being used in various online illegal activities. The anti-spam organization Spamhaus added it to its block list since last year and Bojan Zdrnja from the SANS Internet Storm Center notes that “it's probably wise to at least monitor traffic to 85.255.112.0 – 85.255.127.255, if not block it.”
There are several significant implications to the new technique. First of all, it also affects non-infected systems on the network. Then, it doesn't always compromise a system. Sometimes it succeeds and sometimes it doesn't, depending on how fast the network's legit DHCP server replies. This certainly makes it harder for administrators to track compromised machines on larger networks. The uncontrolled nature of public wireless networks is another factor of great concern in regard to this attack.