NetFort Advertising

Rorpian on the Campus Network

Rorpian Worm

Detecting Rorpian Worm on the Campus Network

For our University customers this is a pretty busy time of year for them, after spending the summer rolling out new network infrastructure and now welcoming back students for the new semester. Students normally come back with laptops and other mobile devices which are populated with photos from the summer but they will also have picked up a variety of malware.  Most University network teams are over stretched and also have to deal with two problems which are some what unique to them

  • They have very little control over the devices that appear on their networks
  • The ratio between tech support and the number of devices on their networks is high and rising rapidly.

One piece of malware that were seeing is called Win32.Rorpian, it spreads via two mechanism

  • via the LAN
  • via removal media

For this blog post were more interested in how it spreads via the LAN. On an infected system the malware checks to see if a DHCP server is in use, if there is one in use it starts an DHCP server on the infected system giving out address’s in the same range as the legitimate server. When a system arrives on the network requesting a DHCP address, the malicious one trys to respond before the legitimate one does. The malicious DHCP server reply will contain details of a malicious DNS server, hence forth any web request made by the system will get redirected to an ip address hosting a page requesting them to update their browser, like the following.

The user cannot visit any other page until they click the “Browser update” button and run the software that is downloaded. When the user clicks on this button an executable is downloaded on to their system, if the file isn’t flagged by the local Antivirus engine a copy of the malware is installed on the system.

At the network layer malware like this can be prevented from spreading by doing the following

  • Use ACLs to prevent any communication with DNS servers outside of your legitimate   servers, if you cant do this put in place a compensating control so you’re monitoring your traffic for DNS servers in use.
  • Configure DHCP snooping on your switches to ensure that only authorized DHCP servers are accessible on the network, if you cant do this ensure that you’re monitoring  your traffic so that you’re alerted when a new dhcp server appears on the network.

The Win32.Rorpian is part of a new breed of worms which are becoming more sophisticated in reponse to greater information security awareness. If you need any assistance in monitoring you’re campus LAN please contact