Wednesday, March 18, 2009

Flush.M trojan and rising attack complexity

An updated version of DNS hijacking malware 'Flush.M' is currently out in the wild, it originally popped up in December 2008. What is significant about this particular nasty is the methodology of network compromise, it's sharply more complex and creative in the way it hijacks it's prey.

Let me walk you through how it works:

Joe the Plumber clicks through a website with a malicious banner ad hosting a Flush.M laden PDF using Adobe's latest JBIG2 security flaw, once his browser auto-opens the PDF, the trojan is successfully installed on his machine.

Now the interesting part, the malware starts a rogue DHCP server advertising to the local lan with a 1 hour refresh rate. This means that if Joe is at the public library, the one 'Flush.M' infection will change the network settings on all machines of the same LAN.

Because DHCP has the capability to set the client machine's DNS servers 'Flush.M' resets all DNS resolvers to malicious external DNS hosts which then exposes the entire LAN to a giant man in the middle attack. Phishing, password stealing, more malware injection, click fraud, you name it...

So for the first time I can think of you have malware not spreading on the LAN via attacking known vulnerabilities but from using legitimate networking technologies to poison the environment and very quickly compromise an entire LAN. Nasty stuff.


If you want to know if Flush.M is on your network, here is a snapshot of it phoning home:

14:45:26.989321 IP 172.17.1.86.60307 > 55.55.55.55.53: 45585+ A?
isatap.snip.edu. (33)
0x0000: 4500 003d 040c 0000 7f11 c4b3 ac11 0156 E..=...........V
0x0010: 4056 8533 eb93 0035 0029 42f8 b211 0100 @V.3...5.)B.....
0x0020: 0001 0000 0000 0000 0669 7361 7461 7004 .........isatap.
0x0030: 6963 6970 0365 6475 0000 0100 01 snip.edu.....


Snort signature (thanks jp):


alert udp ![$SMTP_SERVERS,$DNS_SERVERS] any -> $DNS_SERVERS 53
(msg:"Flush DNS lookup isatap (Possible flush)"; content:"|06|isatap";
nocase; classtype:trojan-activity; sid:1021339; rev:1;)

No comments: