Tuesday, February 07, 2012

Main Content
FAQs Detections Howto - Find a host infected with Trojan.Flush.M

Howto - Find a host infected with Trojan.Flush.M

User Rating: / 3
PoorBest 

How to - Detect and find a host infected with Trojan.Flush.M [Symantec]

Technical Details:

This malware sets up a rouge DHCP server on a network - in a race condition, it attempts to respond with a fake DHCP response with specific attributes.
You can identify this by seeing other hosts on your network with the following DNS servers listed:

IP Address: 63.243.173.162
IP Address: 64.86.133.51

Read Ups:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99
http://isc.sans.org/diary.html?storyid=6025&rss
http://www.tek-tips.com/viewthread.cfm?qid=1538656&page=1

Detection:

You can NOT use the IP address specified by the DHCP response - this can be set in the DHCP ACK - and as seen by us, resulted to your default gateway. You will need physical access to the network that is suspected. Using a machine with wireshark installed, montior the wire and force multiple DHCP renew requests. In your pcap file, you should see your DHCP Request and multiple DHCP ACKs. Look for a DHCP ACK that is NOT expected. The source IP address should be the suspect machine. (You can confirm this using the MAC address).

 

FAQs - Detections

twitter Bird Follow me on Twitter