Update your browser! Hmm… I

Fake DHCP server sends your requests to cybercrime ring

The online word has become the center of the real world and the impressive number of domains (web addresses) registered since 1985 has surpassed the 200 million mark. More to the point, there are 133,025,573 active Internet domains registered worldwide – an impressive figure that offers you a glimpse of the resources you could visit, if you wanted.

Domain names allow us to represent web addresses (IPs) in a form that is easy to remember and access from your browser. Rather than typing, you can just ask the browser to point you to bitdefender.com. The DNS system will convert your domain name (bitdefender.com) into an IP that can be interpreted by the computer. Succinctly put, the DNS system is similar to a phone directory – you know who you want to call, but you don’t know their number. It is an essential part of the web that has been targeted a lot by cyber-criminals and, if compromised, chaos breaks loose.

As the DNS infrastructure is well defended against attacks, cyber-crooks often try to mess with the local DNS settings. This is the case of the infections with Worm.Rorpian.E that, once it successfully infects a computer on the network, starts acting as a DHCP server (an application that manages the connectivity of the network computers) and tampers with the local DNS servers to resolve all the requests to a rogue IP in Romania.

Once this fake DHCP server (in fact, the infected PC on the network) “convinces” your PC that it should resolve the names you enter in the address bar to the rogue IP in Romania, your legit requests will end up hijacked to a page that looks like that:

Fig1. Fake browser update window


If you give in to the demand and “update your browser”, you’ll get infected with the same Worm.Rorpian.E, and your PC will start acting like a rogue DHCP server for the other clients connected to your network.

Once the user clicks the “browser update” button, a php script fetches the malware from the server and names it as updbrowser[date].exe, where date is the current year, month and day.

Of course, since we’re talking about cybercrime, the infection wasn’t only designed for fun.  Once your PC has been infected with the “browser patch”, the worm starts bringing its friends to the party, cloaked by the infamous TDSS rootkit.

Rorpian also has secondary spreading mechanisms: it “jumps” via network shares, exploits a couple of old, critical vulnerabilities such asthe .LNK (MS10046) and the one in the Windows DNS RPC Interface (MS07-029) to download and execute further malware onto the infected PCs.

What can you do?

If you have noticed this behavior, first and foremost, don’t click the Update browser button. Ask your network administrator to check the source of the rogue DHCP server and isolate the affected computer(s).

If you’ve stumbled upon this article too late, download the TDSS/ TDL4 rootkit removal tool from Malware City (64-bit version of the tool is available here). After you have successfully removed this infection, you should install a security software and run a full system scan to detect and remove other pieces of malware that may have been planted on your PC.

This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender Virus Analyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.