HOME
 | UTORprotect |
DOCUMENTATION
 |
AMS/ROSI
 |
SERVICES
 |
CONTACT
UTORprotect
Backup & Recovery
Compromised Systems
Endpoint Security Policy System
Firewalls
Malicious Code
Network Security Policy
Open-Source Firewall
Password Usage Guidelines
Phishing 
Security Incident Reporting
Spam
Spyware 
Symantec Anti-Virus
Windows Security Maintenance
Windows Incident Response
Windows Security

Malicious DHCP Server Exploit

There have been a number of reported incidents on campus of Windows OS computers running DHCP servers as a result of malware compromise. There appears to be more than one exploit responsible and antivirus software may not be detecting all of the variants. This type of exploit is not new but it can result in denial of service and private information capture. DHCP service detection can only be done on the local subnet and the following information describes how to do so.

Exploit Description

No name available yet - similar to the Zlob trojan. The installed exploit runs a DHCP server which provides DNS server configuration pointing to eastern European locations.

Detection

The following utilities can be used to detect active DHCP servers on a subnet. Once the legitimate servers are parsed from the list of MAC addresses, the remaining vales can be matched with ARP and bridge table data to locate compromised computers.

dhcploc: A Windows utility available here.

dhcp_probe: UNIX utility at: http://www.net.princeton.edu/software/dhcp_probe/

More Information

http://isc.sans.org/diary.html?storyid=6025

 
©2011 - University of Toronto Information + Technology Services. All Rights Reserved.