Recently, users in many businesses’ networks find they suddenly cannot access any websites. Instead, they see a request to update their browsers.
On clicking “Bowser update”, a “program” is supposed to be downloaded to “update” users’ browsers.
This is indeed a virus.
LANs with such problems all have at least 1 computer infected with W32. Gatpaz.Worm. This virus imitates DHCP server, sends configuration information to clients to replace their DNS addresses with hacker’s server. Then, when the infected computers attempt to connect to the Internet, users will be redirected to phishing websites crafted by hacker.
Only LANs using DHCP Server for dynamic IP address assignment are affected.
In this IP address assignment model, each LAN is equipped with one DHCP server which is in charge of managing and assigning IPs to its clients. When a certain client needs an IP address to connect to the Internet, it broadcasts a message saying DHCPDISCOVER across the network. Upon receiving the message, DHCP server will process and allocate the client an IP address. The broadcasting process is where hacker exploits to build a fake DHCP server, provided Gatpaz has been successfully installed on any client of the network. Besides allocating IP address to the client, the fake DHCP Server changes the client’s DNS Server into hacker’s one. The hacker then gets the total control of users’ accessing websites.
To completely solve such phenomenon that viruses destroy businesses’ networks, Bkav recommends that a comprehensive enterprise antivirus solution be employed.
Analyst: Ngo Anh Huy - Bkav R&D