Worm uses built-in DHCP server to spread

A variant of the Alureon rootkit is hijacking DHCP on local networks to spread itself, according to a blog posting from Kaspersky.

The loader for the rootkit, Net-Worm.Win32.Rorpian, uses a fairly standard technique for spreading on removable media: it creates an autorun.inf and .lnk files (setup.lnk, myporno.avi.lnk, pornmovs.lnk) which point to rundll32.exe with parameters which will load and run a DLL belonging to the rootkit.

But if it is running on machine attached to a local area network, it checks to see whether a DHCP server is being used on the network. It then scans for available addresses on that network and launches its own DHCP server. When another machine on the LAN makes a DHCP request, it attempts to answer before the legitimate DHCP server, sending an IP address from the pool of previously gathered addresses, the gateway address as configured on the infected system and, for DNS, the IP address of the criminals' maliciously configured DNS server.

If it is successful, when the user of the DHCP requesting machine attempts to use the network, they are redirected to a web page on a malicious server which tells them they need to update their browser. The "browser update" is malware. After the machine has been infected, the DNS settings are reset to point at Google's DNS service.

The technique of hijacking DNS through DHCP is not new: in 2008, a variant of DNSChanger was spotted pretending to be a DHCP server rather than just exploiting DHCP server vulnerabilities.

(djwm)