The DNSChanger malware has been in the wild for quite some time and already drew our attention previously when authors started attacking popular ADSL modems. As the name says, the malware changed DNS server settings, typically to servers in the "popular" 85.255 network. We published several diaries about this malware, the most recent one from Andre is available at http://isc.sans.org/diary.html?storyid=5390.
The evolution went from changing local DNS servers in the operating system (for both Windows and Mac!) to changing DNS server settings in ADSL modems/routers/cable modems.
The malware described by Symantec goes a step further – it installs a rogue DHCP server on the network. Besides the post by Symantec, we also got notified of this malware two days ago by our reader Tim, so we can confirm that this malware is in the wild.
Researchers have identified a new trojan that can tamper with a wide array of devices on a local network, an exploit that sends them to impostor websites even if they are hardened machines that are fully patched or run non-Windows operating systems.
* Jill is using the free WiFi access point at her favorite coffee shop from her infected Windows laptop.
* Steve sits down at the next able and fires up his laptop, which requests an IP address over the wireless local area network.
* Jill’s PC injects a DHCP offer command to instruct Steve’s computer to route all DNS requests through a rogue DNS server.
* Steve fires up his web browser and navigates to his favorite social networking site, but while the browser displays the correct URL name, the rogue DNS server has actually directed the browser to another site.
The same applies to any local area network (LAN) where multiple system connect via DHCP.
There are several countermeasures users can take, Schmugar said, the easiest being hard-coding a DNS server in a machine's configuration settings.
(In Windows, this can be done by going to Start > Control Panel > Network Connections and right clicking on Local Area Connection and choosing properties. Scroll down to Internet Protocol (TCP/IP) and click the Properties button. Then type in the primary and secondary for your DNS service. We’re partial to OpenDNS, whose settings are 208.67.222.222 and 208.67.220.220.)
Researchers indeed found a new Trojan to change all DNS servers of all machines in a given network through sending malicious DHCP packets. Whenever one of the machines has been infested it opens up a malicious DHCP server there. It sends parcels to all other machines hanging in the network hoping its malicious parcels are accepted before the genuine legitimate from the legit DHCP server.
If this Trojan.Flush.M attack is succesfull, all computers start to use the following two nameservers 85.255.112.36 and 85.255.112.41, basically this means redirecting to whatever they want to redirect to. Mentioned nameservers have been used before by Zlob and Mac OS X DNS-changer malware. This is not something theoratically, because the attack has been noticed to take place in the wild… System admins are being advized to either monitor or block all traffick from and to 85.255.112.0 – 85.255.127.255,
Yep this is for real and the only sure fire way is to change the username and password for your router. There is a thread on the forum somewhere not long since where the same problem was explored http://forum.avast.com/index.php?topic=40618.msg340754#msg340754
Absolutely, I find this type of blocking (IP addresses) to be futile as you will always be shooting at a moving target. Your blocking log gets very large, possibly unwieldy and probably with many redundant entries.
This is pretty much the same as used to be practised in adding email addresses to a spam filter blacklist a bit of a waste of time. With the right tools you don’t have to maintain this type of list, my anti-spam has a black list function it is empty I let MailWasher do its job.
My firewall has the ability to block IP, that too is empty I allow OpenDNS to do its job and also hope Firefox’s anti-phishing will also get in on the act along with NoScript and Web Shield and the Network Shield and a healthy dose of common sense.
Add to that DropMyRights on all internet facing applications and a good back-up and recovery strategy, should all of the above fail.
And strangely enough Bob, I wasn’t talking specifically about browsing on the internet in relation to blocking IPs in my firewall (in the same way you are blocking in the router), just that it can be a moving target and could get to be a large range of IPs that has to be checked against on all internet access.
Well blocking Ip’s according to range or even country for that matter and done according to updated blacklists in a structural way is a method that have existed for quite some long time now, and seems to hurt malcreants, because questionable hosters have similar origin,
I have confirmed this problem on a VM of xp pro sp3 I was using. I am not convinced it is a trojan. It is probably a rootkit of some kind. Somehow it both sets up a rogue dhcp, as well as constantly change the local preferred dns to 85.255.112.36 (even if you manually set it in network properties). NOD32 and Kaspersky dont pick up anything unusual, and dhcploc (on seperate computer) notes that there is a rogue dhcp, but for some reason it cannot lock onto the exact IP address of it. I get a bunch of this:
01:02:14 ACK (IP)0.0.0.0 ***
If anyone has any ideas please share them. I am intrigued about how this program pulls this off, and what files it is hooked onto to stay hidden.
