CYBERSPACE — A new malware attack capable of compromising a variety of networked devices — even ones that are hardened or don’t utilize a Windows operating system — has security experts worried.A new variant of Trojan.Flush.M, a malicious DNS hijacker first discovered in December, takes over entire networks by establishing a rogue dynamic host configuration protocol server on a networked host. Other devices sharing the same LAN are tricked into using a malicious domain name server which routes DNS requests to expertly spoofed URLs. The subterfuge is particularly difficult to detect, because the trojan doesn’t specify a DNS domain name. Instead, it uses at least two IP addresses: 64.86.133.51 and 63.243.173.162.
The trojan also sets the DHCP lease time to one hour and sets the MAC destination to the broadcast address rather than the MAC address of the DHCP client
“This kind of malware is definitely dangerous, because it affects systems that themselves are not vulnerable,” SANS Internet Storm Center Chief Technical Officer Johannes Ullrich told The Register. “So all you need is one system infected in the network and it will affect a lot of other nonvulnerable systems.”
One potential solution is to hardwire DNS server settings into all networked apparatuses, which will cause the devices to bypass any rogue DNS servers introduced into the LAN by Trojan.Flush.M.
In addition, Ullrich recommends sysadmins “monitor connections to DNS servers other then the approved one pushed out by your DHCP server. This should help you spot this kind of malware. Yes, you can block the two IP addresses, but it will likely do little good,” because future variants undoubtedly will change IPs.
