Friday, March 20, 2009

New version of DNS server Trojan Flush.M spotted in the pipe by Joel Hruska

The SANS Internet Storm Center has reported spotting a new version of the Flush.M Trojan nosing around online. The original malware program was isolated and, erm, canned back in December; March's updated model sports a fresh coat of paint and a few new tricks. Both forms of Flush.M are DNS hijackers capable of redirecting entire networks towards malicious DNS servers. The original version of Flush would redirect to DNS servers located at 85.255.112.36 or 85.255.112.41; the update targets 64.86.133.51 and 63.243.173.162.

Flush.M 2.0 sets the DHCP lease time to just one hour and does not specify a DNS Domain Name, does not contain PAD options after the END option, and does set the BootP Broadcast Bit. BootP is typically used for configuring diskless workstations or for rolling out PC installations across a large network. SANS recommends monitoring network traffic for signs that systems are attempting to connect to any unapproved DNS server other than the one approved by the local DHCP server.


The new Trojan poses a measured risk to network security as its capable of affecting traffic flowing to and from systems that are themselves immune to the exploit Flush.M leverages. Server admins who can't keep an eye on DNS connections can try filtering out the IPs listed above, but this option provides little to no long-term protection against future updates to the Trojan; such updates will inevitably include new DNS addresses.


We haven't talked much about DNS security in 2009—at least not yet—but the issue was a hot topic in the latter half of 2008, beginning with security researcher Dan Kaminsky's revelation that he'd worked with a security industry alliance to plug a fundamental flaw in the DNS system. That problem has been solved, but the scare it caused intensified calls for the Internet to move towards the more secure DNSSEC protocol.

The US Commerce Department requested comments on whether ICANN or another body should be responsible for signing the root servers; the department's observations from the comments it gathered have not been published. Data from 2008 suggests that DNS security flaws remain a major source of concern to most security admins and companies, making it all the more important that relatively low-level Trojans like Flush.M are spun down the drain before they can stink up the joint.

No comments: