AOH :: IS1836.HTM

New DNS trojan taints entire LAN from single box

New DNS trojan taints entire LAN from single box
New DNS trojan taints entire LAN from single box 

By Dan Goodin in San Francisco
The Register
16th March 2009

Internet security experts are warning of a new rash of malware attacks 
that can hijack the security settings of a wide variety of devices on a 
local area network, even when they are hardened or don't run on Windows 
operating systems.

Once activated, the trojan sets up a rogue DHCP, or dynamic host 
configuration protocol, server on the host machine. From there, other 
devices using the same LAN are tricked into using a malicious domain 
name system server, instead of the one set up by the network 
administrator. The rogue DNS server sends the devices to fraudulent 
websites that in many cases can be hard to identify as impostors.

A new variant of Trojan.Flush.M is making the rounds, Johannes Ullrich, 
CTO of the SANS Internet Storm Center warns here. It offers several 
improvements over its predecessor, which was discovered in early 
December. Among other changes, the new strain no longer specifies a DNS 
domain name, making the rogue DHCP server harder to detect.

"This kind of malware is definitely dangerous because it affects systems 
that themselves are not vulnerable" to the trojan, Ullrich told The 
Register. "So all you need is one system infected in the network and it 
will affect a lot of other nonvulnerable systems."


Best Selling Security Books and More! 

Site design & layout copyright © 1986-2015 CodeGods