Following Dan Kaminsky’s research on DNS insecurities, we saw attackers racing with their DNS servers to hijack network connections. It was only a matter of time before the bad guys decided that racing against DNS was not enough.

DHCP is a widely used network protocol that has been around for a while—it’s used to automatically assign IP addresses on a local network. When you connect your laptop on the wireless router at your home or to your office network, it is most likely that a DHCP server assigns an IP address to your machine and will provide all of the important parameters such as a gateway IP and DNS servers. The DHCP protocol is simple, transparent, and efficient for end users, but it is also non-secure. There’s nothing new and sensational in that statement, because it’s something well known and is really just a lack of authentication. Wikipedia has a pretty good description of common DHCP attacks.

“Having been standardized before network security became a significant issue, the basic DHCP protocol includes no security features, and is potentially vulnerable to two types of attacks… (1) Unauthorized DHCP Servers… (2) Unauthorized DHCP Clients…”

The “Unauthorized DHCP Servers” attack is the main topic of this blog, and the real (bad) news is that today we found malicious code in the wild that actively uses this attack, with the aim of hijacking the DNS configurations of other machines on the same local network. The malicious code is named Trojan.Flush.M.

The idea is simple and evil at the same time: a Trojan installed on an infected machine runs a rogue DHCP server on the local network and serves bogus DHCP packets to other machines when they request a new IP configuration. If the Trojan is fast enough in sending out these DHCP packets, with some luck it can modify the network configuration of other computers. The basic principle of this attack is also described in this Wikipedia article. .

The above network capture shows in detail what’s happening on a network with only a single machine (address 192.168.91.129) infected with Trojan.Flush.M. When a second, clean, machine (address 192.168.91.132) is renewing its IP address (e.g., ipconfig /release and ipconfig /renew on a Windows system) it sends a DHCP RELEASE packet and then tries to discover the DHCP server to get the new IP configuration. The configuration requested will have all the vital information that any device (PC, Mac, Smartphone, etc.) needs to access Internet, including the address of DNS servers.

On a clean network we should only see one DHCP OFFER packet sent from the legitimate DHCP Server (192.168.91.254) to the clean machine. This packet is showed in the above capture at entry number 7. However, as shown in the capture, there’s another DHCP OFFER packet (at number 3) that has been sent by the infected machine only a moment earlier. The following diagram provides a clearer picture of what’s happening on this network:.