Bert JW Regeer (畢傑龍)

Rogue DCHP servers -- Malware becomes more sophisticated

It has been a while since an idea that I have been floating around in my head has come true in the real world. Ever since I experimented with ettercap almost 2 years ago, I was wondering how long until we would see the idea of being able to beat a DHCP server in a race condition would be implemented on some wider scale to do phishing attacks on entire ISP's.

Luckily it is not as bad yet, however according to SANS Internet Storm Center there is a new DNS changing piece of Malware that installs a valid TCP/IP driver in Windows to have raw packet access, sets up a listener and emulates a DHCP server. Whenever it sees a DHCP request it replies with its own DHCP reply, hopefully before the real DHCP server gets a chance to do so, and sets the DNS resolver IP's to ones located in the Ukraine.

Very interesting, how secure are ISP's against these type of attacks? Could I set up a fake DHCP server on my outbound connection and reply to DHCP packets? Food for thought.

Rogue DHCP servers article at SANS