Flush.M Trojan can fake DHCP Server

A new threat in the name of Flush.M trojan is these days causing havoc because of its ability to fake a DHCP server. The trojan creates a DHCP servers on the infected machines and then re-assigns the DNS used by them on the network.

As you already know, DNS is used to translate a web address into an IP Address. This IP address is in turn the address of the server hosting the website.

How Does Flush.M impact me as a End User?

In order to understand the impact, you first need to know how DNS address translation happens

1.) User types in a URL in the browser. This URL now needs to be translated to an IP Address.

2.) The query for getting the IP Address is sent to the local DNS name server which does the lookup and sends back the IP Address for the URL hostname. If the local DNS Name Server doesn’t have a record for the hostname, it either asks the servers further up the chain ( the root servers, top level servers etc..) or it can send back a reference of the next server to be contacted to the client. ( depends on the configuration at the nameserver).

3.) Once the IP Address is returned by the DNS server, the browser connects to the IP Address in order to get the content.

The above steps are the usual steps about how an address translation happens from a macro level.

First, when the computer is booted, it tries to renew its IP Address by discovering the DHCP Server first, on a network where another computer is already infected with Flush.M trojan, a fake DHCP server will send the OFFER packet back claiming to act as a DHCP server. The clean machine, will now get an IP Address and DNS setting set by the fake DHCP server.

Image: How a Fake DHCP transaction works.

Now, lets walkthrough the case, when a computer infected by Flush.M tries to get the IP Address for a hostname in the URL.

1.) User types in a URL in the browser. This URL now needs to be translated to an IP Address.

2.) The query for getting the IP Address is sent to a poisoned DNS server which does the lookup and sends back an IP Address for the URL hostname. The IP Address returned by the Poisoned DNS Server is the IP Address of the Fake Server hosting a clone of the website you intend to visit.

3.) Browser connects to the cloned website. User ends up giving out sensitive details like Userid/password etc.

Because the cloned website is an exact replica of the original website, it is usually very difficult to guess the difference for the end user.

Some basic tips to stay safe from such incidents.

1.) Always have a good anti-virus software installed on your machine. You can read about best free anti-virus softwares at Top 3 FREE Antivirus Applications.

2.) Complement your Anti-virus software with a good Anti-Spyware application. Read more at Best Anti-Spyware Applications.

3.) Ensure that your DNS Server is patched against the recently found vulnerability. Read more about how to test at Is your DNS patched against the recent Vulnerability? If the results of the tests are poor, prefer using OpenDNS.

4.) As an immediate check, check if your DNS server setting is pointing to 85.255.112.36 or 85.255.112.41. As a step further, you can even block traffic to IP range from 85.255.112.0 – 85.255.127.255.

Image: Have a look at the DNS server setting

5.) Ensure that your Operating System is patched and updated as per the latest release. You can read my earlier post on How to control automatic updates in Microsoft Windows.

Ensure that you follow the minimum of 5 steps above in order to be a little more safe than what you are currently.

Via

You can follow me on Twitter at http://twitter.com/vaibhav1981

Do stay tuned to Technofriends for more, one of the best ways of doing so is by subscribing to our feeds. You can subscribe to Technofriends feed by clicking here.

This entry was posted on Monday, February 9th, 2009 at 11:10 am and is filed under security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Technofriends