|
The SANS Internet Storm Centre has reported a new version of the Flush.M DHCP server malware that first surfaced last December (2008). Whilst this won’t affect home users (unless you’re running a separate DHCP server) businesses may be at risk. The ISC state:
Like back then, after infecting its target, the malware installs a rogue DHCP server. The main goal of the DHCP server is to spread a bad DNS server IP address.
Irwin did a good job comparing the two versions. Here is his summary of the differences:
- The new version sets the DHCP lease time to 1 hour.
- it sets the MAC destination to the broadcast address, rather then the MAC address of the DHCP client
- it does not specify a DNS Domain Name.
- the options field does not contain an END option followed by PAD options.
- Unlike Trojan.Flush.M, the BootP Broadcast Bit is set.
The malicious DNS server is 64.86.133.51 and 63.243.173.162.
The recommendation is to monitor for connections being made to DNS servers other than the one’s your DHCP server is providing. If you’re concerned about DHCP, DNS or malware protection then call Cork Technology Services on 023 88 39496 today. |
