[unisog] another malware-based rogue DHCP server (not Trojan.Flush.M)

Irwin Tillman irwin at princeton.edu
Sun Mar 15 15:56:52 GMT 2009 

I want to alert you to another malware-based rogue DHCP server,
one that I have not yet seen reported.  (This is not Trojan.Flush.M.)

----

Background:

(Skip if you are already familiar with Trojan.Flush.M.)

Princeton University saw our first case of Trojan.Flush.M on December 2 2008.

Trojan.Flush.M is malware that causes an infected Windows device to become a
rogue DHCP server.  Unlike accidental rogue DHCP servers, this malicious rogue
DHCP server distributes topologically valid IP addresses to clients, directing
clients to use a particular set of malicious DNS servers.  Its impact includes
both DNS Pharming and causing DHCP clients to "steal" valid IP addresses not
legitimately assigned for their use.)
See  http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99

Below is an example of a DHCPOFFER produced by Trojan.Flush.M.
(Local values have been sanitized; the UDP checksum below will not check.)

17:24:29.292439 00:01:02:03:04:05 > 00:01:01:01:01:01, ethertype IPv4 (0x0800), length 590: 10.0.100.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 548
  IP:  Src=10.0.100.1       Dst=255.255.255.255
  UDP: SrcPort=server       DstPort=client       Len=556  Cksum=f131
  BOOTP: Op=reply  htype=01  hlen=6  chaddr=000101010101
         hops=0  xid=0x19970112  secs=0  flags=0000
         ciaddr=0.0.0.0  yiaddr=10.0.4.147  siaddr=0.0.0.0  giaddr=0.0.0.0
         sname=   
         file=
       Options: starts with RFC1048 magic cookie, decoding (len=312):
         DHCPmessageType: DHCPOFFER
         DHCPserverIdentifier: 10.0.129.32
         DHCPipAddressLeaseTime: 21600 seconds (6 hours)
         subnetMask: 255.255.0.0
         routerList: 10.0.1.1
         dnsServerList: 85.255.112.36 85.255.112.41
         domainName: example.com
         end
         pad (seen 255 times)

Key:
legitimate network number 10.0.0.0
legitimate network mask 255.255.0.0
legitimate router  10.0.0.1
legitimate  BootP Relay Agent: 10.0.0.1
legitimate DHCP Server Identifier  10.0.129.32
legitimate DNS Domain Name: example.com
DHCP client MAC 00:01:01:01:01:01
rogue DHCP server MAC 00:01:02:03:04:05
rogue DHCP server IP 10.0.100.1

The malware discovers the network's IP number/netmask, default IP router,
the IP address of a legitimate DHCP server, and the DNS domain name.  It uses these to 
when awarding bogus DHCP leases to clients.   The bogus lease awards the client
an IP address within the legitimate IP network range.  The bogus leases point the
clients to use malicious DNS servers 85.255.112.36 85.255.112.41.
Note that the DHCP Server Identifier option specifies the IP address
of a (presumably legitimate) DHCP server the malware learned about.
The lease time is 6 hours.
The options field is padded to 312 bytes.

----

Now for the new malware:

Princeton began seeing another malware-based rogue DHCP server starting February 19 2009.
I've not yet seen this newer (?) malware documented by any antiviral site; it
is this newer malware that I am reporting.

Like Trojan.Flush.M, it causes the infected device to act as a rogue DHCP server
directing clients to use malicious DNS servers.  The characteristics of its
DHCP traffic are slightly different than Trojan.Flush.M.

I believe that other are also experiencing this newer malware, based on a web search
of the IP addresses of the malicious DNS servers' IP addresses distributed by
this malware.

Here's an example of a DHCPOFFER sent by this as-yet-unnamed malware:
(Local values have been sanitized; the UDP checksum below will not check.)

2009-03-04 16:48:53.803461 00:01:02:03:04:05 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 319: 10.0.100.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 277
  IP:  Src=10.0.100.1  Dst=255.255.255.255
  UDP: SrcPort=server       DstPort=client       Len=285  Cksum=73b6
  BOOTP: Op=reply  htype=01  hlen=6  chaddr=000101010101
         hops=0  xid=0x19970112  secs=0  flags=8000
         ciaddr=0.0.0.0  yiaddr=10.0.128.203  siaddr=0.0.0.0  giaddr=0.0.0.0
         sname=
         file=
       Options: starts with RFC1048 magic cookie, decoding (len=41):
         DHCPmessageType: DHCPOFFER
         DHCPserverIdentifier: 10.0.0.1
         DHCPipAddressLeaseTime: 3600 seconds (1 hour) 
         subnetMask: 255.255.0.0 
         routerList: 10.0.0.1
         dnsServerList: 64.86.133.51 63.243.173.162 

key (same as above):
legitimate network number 10.0.0.0
legitimate network mask 255.255.0.0
legitimate router  10.0.0.1
legitimate  BootP Relay Agent: 10.0.0.1
legitimate DHCP Server Identifier  10.0.129.32
legitimate DNS Domain Name: example.com
DHCP client MAC 00:01:01:01:01:01
rogue DHCP server MAC 00:01:02:03:04:05
rogue DHCP server IP 10.0.100.1


The DHCPOFFER produced by this malware is different from that
produced by Trojan.Flush.M in a number of ways:

Unlike Trojan.Flush.M, it specifies DNS servers 64.86.133.51 63.243.173.162.
Presumably these too are malicious DNS servers.

Unlike Trojan.Flush.M, this malware sets the DHCP Server Identifier
not to the value of some DHCP Server it learned about, but instead to a different
value.    It appears to be using the value of the default IP router, or the BootP Relay Agent.
(I'm not sure which it is using, as the two values are the same on our network.)

Unlike Trojan.Flush.M, it sets the DHCP lease time to 1 hour.

Unlike Trojan.Flush.M, it sets the MAC destination to the broadcast address,
rather than the MAC address of the DHCP client.

Unlike Trojan.Flush.M, it does not specify a DNS Domain Name.

Unlike Trojan.Flush.M, the options field does not contain an 
END option followed by PAD options.

Unlike Trojan.Flush.M, the BootP Broadcast Bit is set.

----

Irwin Tillman
Network Systems / The Office of Information Technology / Princeton University

More information about the unisog mailing list