Tuesday, December 9, 2008

Beware of Scoundrel DHCP servers, warns Symantec

DHCP is a mechanism commonly used to automatically assign IP addresses to computers and other devices on a local network. It also provides the client systems with the address of the DNS server they should use.

Using a malicious DNS server to divert traffic to malicious sites is known as pharming. A pharmed user may type a bank URL directly into the browser (as recommended by most financial institutions), but may end up on a fake site designed to capture login details to aid in making fraudulent transactions.

According to Symantec, a Trojan it has dubbed Flush.M sets up a rogue DHCP server on the victim's PC.

When other systems on the LAN make a DHCP request to receive or renew an IP address, Flush.M responds.

If the requesting system receives Flush.M's response before that of the real DHCP server, it will start using the malicious DNS server(s) rather than those specified by the real network administrator.

This can be done by infecting just one PC on the LAN, and it can potentially divert the traffic from any other device, regardless of its operating system.

Furthermore, security software running on those other devices is unlikely to find anything wrong.

Symantec suggests network administrators should watch for DHCP offers originating from addresses other than their DHCP servers, and that they monitor or block traffic to the IP address range 85.255.112.0 to 85.255.127.255, which includes known malicious DNS servers.

If you are suffering from these type of rogue DNS then no need to worry just give us a call at 1-866-914-9838 and talk to a Microsoft certified professionals within a minute & get DNS server support.

Source:itwire.com

No comments: