New Variant of DHCP Malware Launches Attack
Computer security researchers are cautioning users to be wary of a fresh wave of malware assaults that compromise security of different kinds of tools attached to a LAN (Local Area Network).
The attack involves a variant of Trojan.Flush.M identified in December 2008. The new variant establishes a fake DHCP (Dynamic Host Configuration Protocol) on the infected system. Consequently, other tools attached to the LAN also become infected and are influenced by a malicious DNS (Domain Name System) server rather than the one that the network admin sets up.
Subsequently, the rogue DNS server diverts the computer to fake websites most of which are hardly recognizable.
Warning computer users, Johannes Ullrich, Chief Technical Officer, the SANS Internet Storm Center, states that an attacker who successfully loads the defective DHCP could track traffic and compromise request entries from the remaining systems on the LAN. This would compel the computer users to visit fraudulent websites to infect all the systems within the network, Ullrich explained, as reported by SCMAGAZINE on March 17, 2009.
Ullrich added that the chief aim of the rogue DCHP server is to disseminate a corrupt DNS server Internet Protocol address.
Furthermore, the latest variant of the Trojan is designed to better conceal the rogue DHCP in comparison to the earlier variants. In addition, the new version does not provide a specific DNS domain name, making it harder to locate the miscreants behind the malware.
Nevertheless, security experts explained to people the techniques by which they could foil the attack. Accordingly, they need to hardwire DNS server configurations by using a manually allocated IP setting within the PC or any devices attached to it. This would instruct the device to elude the fake DNS server even when the fake DCHP server does not provide an Internet connection to it.
Another technique is administrators should track connection to every DNS server except the one, which is specifically assigned to the network. Still a third technique is to ban the DNS servers, 126.96.36.199 and 188.8.131.52 that the latest variant uses for malware distribution.
Related article: New Zealand Releases Code To Reduce Spam
» SPAMfighter News - 27-03-2009