Skip navigation.
Home

DNSChanger method?

I've been looking into the methods used by the DNSchanger virus for part of a project, but something about its method bothers me.

DHCP is a dumb protocol. A station sends out a DHCP request on the network, and then accepts the first response it gets. DNSchanger responds first with a valid IP subnet and gateway, but with a set of alternative DNS servers that can forward to station onto incorrect URLs using preset DNS records, putting virtually any network an infected machine connects to at risk.

But unless a target station and an infected station are connected more directly then they are to the real DHCP server, such as through the same piece of network hardware, with the main DHCP server quite 'far' away in the chain, how does DNSchanger ensure that it beats the real DHCP server to the punch with its response?

The only reason that I'm thinking of this is due to wireless access points; if an infected machine connects to a wireless access point, how does it infect other machines? I would've thought that it would've had difficulty responding to the DHCP request before the gateway, seeing as it's likely that the gateway is the same hardware that's broadcasting the wireless network.

Any help with this one would be appreciated! Thanks!

Delays while checking host availability

One thing that can affect the response from the real DHCP server is host availability checking. It's not uncommon for some systems to do ping checks and other such requests when the DHCP request is received (since you can't really trust the allocation table if someone tosses in a few static IP addresses). Whereas, the malware could keep a running table of hosts it sees; or just make up an address (or it may just keep track of a single IP that's available to quickly send out when needed). Not to mention that the real DHCP server probably executes 10x the number of instructions the malware does in building a DHCP reply (with large table lookups, rule matching, etc). My suggestion would be testing your theory to see how easy (or hard) it is to beat the real DHCP server to the punch. My guess is that it's not as hard as you think.

Also, I believe it is possible to update a client's DNS servers between DHCP requests/renews. So, the malware may not even need to beat the reply to the client to interfere.

Hope that helps some, I'm far from an expert in this area.