A new DNS changing malware with a twist was recently found by researchers.
A new DNS Changer Trojan uses a new method to poison other hosts on the local subnet installing a rogue Dynamic Host Configuration Protocol (DHCP) server on the network.
DHCP is a protocol used to disseminate required information to network clients in order to operate within an IP network. These client configuration parameters include the default IP gateway, default domain name, DNS servers, and others minutiae. Once a user connects to a network, it will send a request to a DHCP server (the method is spelled out in the DHCP protocol specification). When the request is received, the server in turn will assign IP parameters to the client, enabling the client to operate within the network.
Once installed, this malware turns the affected system into a DHCP server. It monitors traffic and intercepts request packets from other computers in the network. It then replies to intercepted requests with packets containing malicious DNS servers. This causes the recipients of the malicious packets to be redirected to malicious sites without their consent.
Researchers at the SANS Internet Storm Center (ISC) took notice of the fact that this technique does not have a 100% success rate. Once a client sends a request to an affected system, both the rogue and legitimate DHCP server will receive the request. It will only be a matter of which server (the real DHCP server or the bogus one) will reply faster, if the client will receive a malicious packet or not. Don’t be fooled by the imperfect infection rate though–the inconsistency will bring about great difficulty to network administrators who will have to trace compromised clients. Furthermore, once a particular system is affected with the malware, unaffected systems in the same network are ultimately at risk of being redirected to malicious websites.
Rogue DNS networks are previously known to be employed for stealth click fraud schemes with ad companies such as Google Ads and ad.doubleclick.net. The advertisements placed in websites are replaced with other advertisements that connect to the IP addresses used by the cybercriminals. Trend Micro Advanced Threats Researcher Feike Hacquebord, reports that since this happens outside the network of advertising companies, they almost certainly can not detect this click fraud scheme.
Another risk is that once the user clicks one of these targeted ads and gets connected to the cybercriminals’ crafted site, any personal information they enter into the site will most probably be leaked to this scheme’s perpetrator.
Hacquebord also reports that the targeted domains, which when accessed leads to the malicious IP addresses, include popular sites associated with Google, Yahoo!, and Microsoft Live. He also states that the estimated number of victims by this kind of threat have reached more than a million for November alone.
Of course, there will most certainly be variants, and variations, of this crimeware, but the Trend Micro Smart Protection Network already protects Trend Micro customer from these threats, and we are continually adding intelligence to the Smart Protection Network around the clock to make it the best protection technology available. Anywhere.