<>bTrend Micro has detected a new DNS changing form of malware which poisons other hosts on the local subnet installing a rogue Dynamic Host Configuration Protocol (DHCP}server on the network.
Technical Communications spokesperson JM Hipolito explained that the DHCP is a protocol used to disseminate required information to network clients in order to operate within an IP network.
Once a user connects to a network, it will send a request to a DHCP server (the method is spelled out in the DHCP protocol specification). When the request is received, the server in turn will assign IP parameters to the client, enabling the client to operate within the network.
Once the malware is installed, the system is turned into a DHCP server that monitors traffic and intercepts request packets from other computers in the network. It then replies to intercepted requests with packets containing malicious DNS servers. This causes the recipients of the malicious packets to be redirected to malicious sites without their consent.
Trend Micro reported that researchers at the SANS Internet Storm Center revealed that the technique does not have a 100 per cent success rate. Once a client sends a request to an affected system, both the rogue and legitimate DHCP server will receive the request. It will only be a matter of which server will reply faster, and if the client will receive a malicious packet or not.
Trend Micro advanced threats researcher Feike Hacquebord reported that advertisements placed in websites are replaced with other advertisements that connect to the IP addresses used by the cybercriminals. Since this happens outside the network of advertising companies, they almost certainly cannot detect this click fraud scheme.
Also, once the user clicks one of these targeted ads and gets connected to the cybercriminals' crafted site, any personal information they enter into the site will most probably be leaked to this scheme's perpetrator. Hacquebord claimed that the estimated number of victims by this kind of threat have reached more than a million for November alone.
See original article on scmagazineus.com
New DNS changing malware detected
By Dan Raywood on Dec 12, 2008 11:13AM