Late last week, I formulated the hypothesis that we might have some rogue DHCP servers popping up here and there.
Since the machines that were having the problems revert to a presumed-good image upon reboot, finding the actual problem was a little bit of a challenge. Our only real option was to wait for another outbreak, followed by a focused and temporary capture of network traffic.
A few days ago, we got a call that machines were experiencing browsing difficulties, and we were able to capture some network traffic that confirmed my hypothesis; a box that not one of our DHCP servers was sending out DHCP offers.
The offers convinced the clients that received them to switch their DNS to an external machine. We block outbound DNS to anything but our own servers, so the result was that the infected machined were no longer able to resolve any host names. Not a good thing, since they are primarily used as web browsers (non-proxied).
As we were wrapping up the incident, segmenting our network even further, putting in additional monitoring, and doing some additional hardening in certain areas, the Internet Storm Center posts a diary message that was timely and on topic. The subject of the message was Rogue DHCP servers.
Not even a half-day later, I was on the phone with my previous employer and 'lo and behold: they were suffering outages and seeing strange DHCP traffic. It seems that whatever site is offering this Trojan.Flush.M-malware is very effective at reaching institutes for higher education world-wide.
Symantec ranks the risk of this malware as "risk level 1: very low". I disagree with this; risk is a function of probability and impact, and looking at my own experiences, both are high. I have first-hand knowledge of at least three institutes that have been hit, and the impact of getting hit (loss of the ability to resolve hostnames) is also large.
How do we defend against this? The most important steps are to ensure proper network segmentation and providing up-to-date anti-malware software on workstations. On servers, you probably want to statically configure your DNS settings. Make sure you can monitor what's happening on your network; block outbound DNS traffic to everything except your own servers, and consider deploying hardened proxy servers for browsing.
Why not just block DHCP in and out along the lines of your blocking outbound DNS? That should be standard practice on a network of any size.
To track down a local rogue DHCP server, you can just look at the ip config settings of the affected machine to see the DHCP server it got it's address from.
DHCP is blocked on the perimeter of each network, but a fake DHCP server can still be effective within the network in which it lives. The fact that we had already segmented a lot of our network into VLANs saved us-- if we had one "flat" network, we would have been dead in the water.
ipconfig is indeed a great option to detect from where it got its IP address, but that requires direct access to the machine (physically, or remotely).
Most Windows-users are trained to reboot their machine when it does strange things, and as soon as that happens it gets a bad DHCP response and we have no way of getting to it remotely, leaving the local physical intervention as the only option. Network monitoring was the way that we identified the source of the problem, which we confirmed through checking ipconfig.
The problem is that most LAN-protocols are based on trust. Most notable, ARP and DHCP can be easily spoofed because there are both dependent on authenticated response. The same is true for DNS, although movements like DNSSEC are trying to change that.
Looks like it's getting bigger:
https://forums.symantec.com/syment/blog/article?message.uid=370377
This could affect any OS right?
m.
Yes, it can. Any client that listens to standard DHCP offers could be foiled this way.