That’s Not My DHCP Server! Phishing With TNT

This is an interesting twist on attackers infiltrating a network to harvest usernames and passwords to financial sites.  As I wrote here in March of 2007, some attackers were using Windows DNS to implant false proxies to clients.  Now some malware includes the software to turn a local PC into a DHCP server, and as such, it will try to respond to DHCP broadcasts and issue IP’s and more importantly, DNS information to the requesting host.

The poisoned DNS will of course redirect legitimate requests to bogus sites to either phish information from the users or install malware.

If you run a large enterprise, good luck finding the bogus DHCP servers on the network.  You need a protocol analyzer to pinpoint just who is responding with the bad leases.  And even if you have a protocol analyzer, you need to have it running on all of your vlans that would serve your client workstations.

Sans says here:

While not too sophisticated, the whole attack is very interesting. First, it’s about a race between the rogue DHCP server and the legitimate one. Second, once a machine has been poisoned it is impossible to detect how it actually got poisoned in the first place – you will have to analyze network traffic to see the MAC address of those DHCP Offer packets to find out where the infected machine actually is.

Right now, this type of attack is restricted to a known bad DNS server at a remote site, so you can block it.  But if this baby starts using a fast flux network- internal dns hosted on a compromised host, and distributed botnets to host the malware, phishing sites and command functions-  it would be extremely difficult to defend against.