Rogue DHCP servers
Last Updated: 2008-12-05 00:29:47 UTC
by Bojan Zdrnja (Version: 1)
Fellow researchers from Symantec posted technical details about an interesting variant of a well known DNSChanger malware. The analysis is available at http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99&tabid=1
The DNSChanger malware has been in the wild for quite some time and already drew our attention previously when authors started attacking popular ADSL modems. As the name says, the malware changed DNS server settings, typically to servers in the "popular" 85.255 network. We published several diaries about this malware, the most recent one from Andre is available at http://isc.sans.org/diary.html?storyid=5390.
The evolution went from changing local DNS servers in the operating system (for both Windows and Mac!) to changing DNS server settings in ADSL modems/routers/cable modems.
The malware described by Symantec goes a step further – it installs a rogue DHCP server on the network. Besides the post by Symantec, we also got notified of this malware two days ago by our reader Tim, so we can confirm that this malware is in the wild.
What does it do? The malware installs a legitimate driver, NDISProt which allows it to send and receive raw Ethernet frames. Once the driver is installed, the malware "simulates" a DHCP server. It starts monitoring network traffic and when it sees a DHCP discover packet it replies with its own DHCP Offer packet. As you can guess, the offered DHCP lease will contain malicious DNS servers, as shown below:
While not too sophisticated, the whole attack is very interesting. First, it's about a race between the rogue DHCP server and the legitimate one. Second, once a machine has been poisoned it is impossible to detect how it actually got poisoned in the first place – you will have to analyze network traffic to see the MAC address of those DHCP Offer packets to find out where the infected machine actually is.
As we wrote numerous times before, it's probably wise to at least monitor traffic to 22.214.171.124 – 126.96.36.199, if not block it.