Crazy DHCP Server Rootkit

A quick informal story:

One of my clients has a bunch of employees that are in and out of the office on different days with their laptops.  A couple of them always seem to get a little bit o’ spyware.  Well, over the past week or so their “server went down” several times randomly and then just started working again.  According to them they couldn’t get on the internet, get to shared folders, exchange server, etc.  Totally dead in the water for a little while, then everything would suddenly be fine.  I noticed that everyone’s IP settings were wacky and they were getting them from some phantom DHCP server so I used a packet sniffer (wireshark) to find where the DHCP packets were coming from.  This led me right to a laptop that didn’t look like it had any spyware after a quick check-up.  Turns out it had a rootkit that functioned as a stealth DHCP server (!).  Anytime that dude was in the office with his laptop plugged in, DHCP services on the real server shut down in deference to the rouge and people would just drop off the network as their leases expired.  I ran combofix & if found all kinds of B.S. & knocked it out.  Cranked up DHCP on the server and everything was back to normal.  It is also worth noting that there were no visible indications that a DHCP server was running on that laptop.  There were no (visible) rogue services & I couldn’t even find the listening port using netstat.

Anyway, if you run across a network where everything looks right except for the IP settings on the clients… start sniffing & cleaning.  This was a damn effective attack!


Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.