Linux Solutions

A new Trojan that has the ability to tamper with multiple devices on a local network has been found by security researchers. The malware send users to impostor websites even if the machines are fully security shielded, or run non-Windows operating systems.

The malware is a spin off of the DNSChanger Trojan that researchers say is known to change the domain name settings of users’ systems. Researchers from the McAfee Avert Labs, claim the updated Trojan makes a single infected system pollute the DNS settings of however many computers are connected to the same local network by undermining its dynamic host configuration protocol, or DHCP, which dynamically allocates IP addresses.

Craig Schmugar from McAfee said that, “Systems that are not infected with the malware can still have the payload of communicating with the rogue DNS servers delivered to them. This is achieved without exploiting any security vulnerability.”

This Trojan is quite frightening. Imagine if you were to take your laptop to an internet café for example and it is infected by the new version of DNSChanger.

Another user comes in and connects to the same network, asking for an IP address. Your infected laptop injects as DHCP offer command that instructs the new user’s laptop to rout all DNS requests through a dodgy DNS server. The new user can not use his laptop to view trusted sites, as it would be an impostor site.

A user could take steps to avoid the Trojan. Schmugar suggests hard-coding a DNS server in a systems configuration settings. You can do this on a windows C or laptop by going in to your network connections (in control panel), scrolling down to Internet Protocol (TCP/IP) and clicking properties, then type in the primary and secondary for your DNS service.

Schmugar said that “the DHCP attack doesn’t exploit a vulnerability in either users machines or network hardware”, which allows it to work with a wide variety of everyday home routers. The Trojan uses a ndisprot.sys driver installed on the network. Then it sets up camp and monitors network traffic for DHCP requests and sends false information that contains the IP address to the DNS server.

Although the malware is not widespread, it is rather worrying that this kind of Trojan is on the horizon, and you could only imagine the chaos that would ensue if this got in to a large corporations network.