DNS server Trojan Flush.M spotted in the pipe

Flush.M 2.0 sets the DHCP lease time to just one hour and does not specify a DNS Domain Name, does not contain PAD options after the END option, and does set the BootP Broadcast Bit. BootP is typically used for configuring diskless workstations or for rolling out PC installations across a large network. SANS recommends monitoring network traffic for signs that systems are attempting to connect to any unapproved DNS server other than the one approved by the local DHCP server.

Security experts warned this week that they have seen a new variant of the DNS-changing Trojan.Flush.M malware that resembles a cyberattack from December.

The earlier version, which attempted to install a rogue DHCP server, allows cybercriminals to monitor traffic from the infected IP addresses in an organization network and direct other machines to visit malicious websites, security experts said.

The new variant is more sophisticated and hides the fake DHCP more effectively than the previous version did, experts said.

Cyberattacks, such as DNS-changing malware exploits, grew considerably in 2008. Security experts are warning that 2009 will be a year of constantly growing and changing cyberthreats, which has the potential to breach network security.

The new Trojan poses a measured risk to network security as its capable of affecting traffic flowing to and from systems that are themselves immune to the exploit Flush.M leverages

Source: mxlogic & arstechnica.com

Microsoft Discovered Domain Name System CVE-2009-0233 & CVE-2009-0234

Recently, Microsoft Corp. discovered two new Domain Name System cache poisoning threats, CVE-2009-0233 and CVE-2009-0234.

According to Check Point, IPS products are updated by Check Point’s update services, providing continuous and real time protection against DNS attacks for companies. The solutions are available on dedicated platforms or integrated into Check Point gateways.

With the help of a suite of DNS cache poisoning protections, Check Point IPS solutions preemptively protect against the two new threats. These preemptive protections have the ability to detect specific attempts to exploit the newly announced vulnerabilities.

“At the heart of the Internet are DNS servers. We trust DNS servers to direct our entered URLs to the intended Websites, so any vulnerability affecting the integrity of DNS servers is of great concern,” said Oded Gonda, vice president of network security products at Check Point. “In less than a year there have been three major DNS exploits and more are likely to follow.”

The vulnerabilities in the Microsoft DNS servers attack the way it handles caching of queries and responses. An attacker tricks a DNS server into making unnecessary lookups, by flooding a DNS server, or large servers that convert domain names into numeric IP addresses with specially crafted queries. With these unnecessary lookups, an attacker will have more chances of inserting incorrect responses into the DNS server’s cache.

Source: sip-trunking.tmcnet.com

Authorize a Windows 2000 DHCP server

Suppose someone sets up another DHCP server with different IP addresses. As you recall, clients will select the server that responds first. If some unauthorized (”rogue”) server is chosen, clients will get incorrect IP addresses and other TCP/IP configuration data and will be unable to communicate with other computers on the network.

To prevent such rogue DHCP servers from leasing wrong configuration data on the network, Windows 2000 Server requires the authorization of all Windows 2000 DHCP servers. When a Windows 2000 DHCP server starts, it queries the Active Directory. If it finds out that it’s not authorized, it will not start the DHCP service. If it is authorized, it will start the DHCP service and provide TCP/IP configuration to clients.

To authorize a Windows 2000 DHCP server you have to be a member of the Enterprise Admins group. Here’s how to give yourself permissions:

1. Open the DHCP console.
2. Right-click on DHCP.
3. Select Manage Authorized Server.
4. Click on Authorize and type the name or IP address of the DHCP server you want to authorize.

Source:http://blogs.techrepublic.com.com/datacenter/?p=185

DCHP Relay Agent settings in Windows 2000 Server

After you install and configure DHCP Relay Agent on your Windows 2000 Server, you might also want to optimize it for your network environment.

First you need to find the listing of available DHCP server. Right-click DHCP Relay Agent in the console and select Properties. This list contains all DHCP servers that will receive DHCP packets from the DHCP Relay Agent.

Other settings are located on the Properties window of each interface. Right-click the interface under DHCP Relay Agent in the console and select Properties. The window displaying the interface’s properties will be displayed, where you’ll be able to configure three options.

The first is the Relay DHCP Traffic setting. This setting basically allows you to enable or disable the DHCP Relay Agent on a given interface.

Next is the Hop-Count Threshold setting, which will let you specify the maximum number of DHCP Relay Agents between this Relay Agent and the DHCP server.

The last setting you can configure is the Boot Threshold (Seconds) setting. Here you can specify how long DHCP Relay Agent will wait before forwarding the DHCP messages to the DCHP server.

Related Post:

How to Install the DHCP Relay Agent in Windows 2000 Server?
How To Install and Configure a DHCP Server in a Workgroup in Windows Server 2003

Source: http://blogs.techrepublic.com.com/datacenter/?p=189&tag=rbxccnbtr1

Windows 2000 Server DHCP options

A client uses a local broadcast address when it first tries to contact a Windows 2000 Server DHCP server, since this is the only way to get in touch with a DHCP server without having an IP address. Problems can develop, however, when you have multiple network segments separated by routers.

Routers typically don’t pass DHCP traffic. If you have such routers and don’t have a DHCP server on every segment, your DHCP clients will get the TCP/IP configuration from any DHCP server.

To prevent this from happening, you can choose from three options. The first is to install a DHCP server on every network segment. This requires a DCHP machine and additional configuration on the server. If you have several network segments, this option doesn’t make sense. A second solution is to enable BOOTP/DHCP message traffic on your RFC 1542-compliant routers.

If you don’t have such routers or a DHCP serveron every network segment, your only option is to install DHCP Relay Agent on every network segment. DHCP Relay Agent will listen for DHCP traffic on the local network and forward these packets to a real DHCP server on another network segment.

Source:http://blogs.techrepublic.com.com/datacenter/?p=186&tag=rbxccnbtr1