{
	"id": "48513b24-5e07-4553-a07c-2313b137ae81",
	"created_at": "2026-04-06T00:13:50.750951Z",
	"updated_at": "2026-04-10T03:21:21.841015Z",
	"deleted_at": null,
	"sha1_hash": "16b6c67e18bfcc024f679772ea1f54633225d111",
	"title": "new rogue-DHCP server malware - SANS Internet Storm Center",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 31073,
	"plain_text": "new rogue-DHCP server malware - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 13:32:13 UTC\r\nThanks to Irwin for alerting us about a new version of rogue DHCP server malware he found in his network. The\r\nmalware appears to be similar to Trojan.Flush.M which was found last December. Like back then, after infecting\r\nits target, the malware installs a rogue DHCP server. The main goal of the DHCP server is to spread a bad DNS\r\nserver IP address.\r\nIrwin did a good job comparing the two versions. Here is his summary of the differences:\r\nThe new version sets the DHCP lease time to 1 hour.\r\nit sets the MAC destination to thebroadcast address, rather then the MAC address of the DHCP client\r\nit does not specify a DNS Domain Name.\r\nthe options field does not contain an END option followed by PAD options.\r\nUnlike Trojan.Flush.M, the BootP Broadcast Bit is set.\r\nThe malicious DNS server is 64.86.133.51 and 63.243.173.162.\r\nRecommendation:\r\nmonitor connections to DNS servers other then the approved one pushed out by your DHCP server. This should\r\nhelp you spot this kind of malware. Yes, you can block the two IP addresses listed above, but it will likely do little\r\ngood.\r\n------\r\nJohannes B. Ullrich, Ph.D.\r\nSANS Technology Institute\r\nSource: https://isc.sans.edu/forums/diary/new+rogueDHCP+server+malware/6025/\r\nhttps://isc.sans.edu/forums/diary/new+rogueDHCP+server+malware/6025/\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/new+rogueDHCP+server+malware/6025/"
	],
	"report_names": [
		"6025"
	],
	"threat_actors": [],
	"ts_created_at": 1775434430,
	"ts_updated_at": 1775791281,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/16b6c67e18bfcc024f679772ea1f54633225d111.pdf",
		"text": "https://archive.orkl.eu/16b6c67e18bfcc024f679772ea1f54633225d111.txt",
		"img": "https://archive.orkl.eu/16b6c67e18bfcc024f679772ea1f54633225d111.jpg"
	}
}