The DNSChanger malware if you don’t know have been about for a while, and they have tried various tactics for attempting to get their hooks into a victim. As the name suggests they attempt to change the DNS Server settings for a victim, and have targeted users of Windows and Apple OS X. Now after a while this family of malware started to target the ADSL modem or router of victim to alter the DNS information they held, this is particularly useful when the ADSL modem acts as a DNS server and forwards DNS requests for the users of the network. In this instance the malware would use Cross Site Request Forgery vulnerabilities to alter the DNS settings of the modems or routers.

 

Now it seems this family of malware has evolved to including functionality to implement a DHCP server. The malware does this by installing a legitimate driver, NDISProt which allows it to send and receive raw Ethernet frames. Once the driver is installed, the malware simulates a DHCP server. It starts monitoring network traffic and when it sees a DHCP discover packet it replies with its own DHCP Offer packet. As you can guess, the offered DHCP lease will contain malicious DNS servers.

 

Now, the attack isn’t that sophisticated, and it does rely on who can respond first, the legitimate DHCP server for a network or the rogue one. If the rogue wins, then it makes it pretty difficult without network packet capture and analysis of the hosts responding to the DHCP traffic to determine how a victim machine was poisoned to use the rogue DNS servers.

 

Now what is the point of all this you may ask? Well the rogue DNS servers are used to miss-direct users away from the sites they want to visit and direct them at malicious sites, all without arousing suspicion as the address the user types into their browser will look normal, but the underlying address used by their computer is fake.

 

There is a pretty good write up on this new twist at SANS here.