A new twist in DNS-changing malware poisons other hosts on a local subnet, and installs a rogue DHCP server.
In a blog posting, JM Hipolito, technical communications spokesperson at Trend Micro, explained that once the malware was installed, "The system is turned into a DHCP server that monitors traffic and intercepts request packets from other computers in the network. It then replies to intercepted requests with packets containing malicious DNS servers. This causes the recipients of the malicious packets to be redirected to malicious sites without their consent."
Researchers at the SANS Internet Storm Center said that the technique does not have a 100 percent success rate.
In his blog posting, SANS Handler Bojan Zdrnja said, "While not too sophisticated, the whole attack is very interesting. First, it's about a race between the rogue DHCP server and the legitimate one. Second, once a machine has been poisoned it is impossible to detect how it actually got poisoned in the first place."
Trend Micro Advanced Threats Researcher Feike Hacquebord claimed that as the malware works, advertisements placed in websites are replaced with other advertisements that connect to the IP addresses used by cybercriminals. Also, once a user clicks one of these targeted ads and gets connected to the cybercriminals' crafted site, any personal information they enter into the site can be leaked to this scheme's perpetrator. Hacquebord claimed that the estimated number of victims by this kind of threat have reached more than a million for November alone.
