Beware of rogue DHCP servers, warns Symantec

Stephen Withers
Monday, 08 December 2008 05:52

Your IT - Home IT

Computers on a LAN may be pharmed by rogue DHCP servers created by malware, leading to Internet traffic being diverted to bogus or otherwise malicious sites. A security vendor says attack code is in the wild.

DHCP is a mechanism commonly used to automatically assign IP addresses to computers and other devices on a local network. It also provides the client systems with the address of the DNS server(s) they should use.

Using a malicious DNS server to divert traffic to malicious sites is known as pharming. A pharmed user may type a bank URL directly into the browser (as recommended by most financial institutions), but may end up on a fake site designed to capture login details to aid in making fraudulent transactions.

According to Symantec, a Trojan it has dubbed Flush.M sets up a rogue DHCP server on the victim's PC.

When other systems on the LAN make a DHCP request to receive or renew an IP address, Flush.M responds.

If the requesting system receives Flush.M's response before that of the real DHCP server, it will start using the malicious DNS server(s) rather than those specified by the real network administrator.

This can be done by infecting just one PC on the LAN, and it can potentially divert the traffic from any other device, regardless of its operating system.

Furthermore, security software running on those other devices is unlikely to find anything wrong.

Symantec suggests network administrators should watch for DHCP offers originating from addresses other than their DHCP servers, and that they monitor or block traffic to the IP address range 85.255.112.0 to 85.255.127.255, which includes known malicious DNS servers.