Malicious DHCP Server Exploit
There have been a number of reported incidents on campus of Windows OS computers running DHCP servers as a result of malware compromise. There appears to be more than one exploit responsible and antivirus software may not be detecting all of the variants. This type of exploit is not new but it can result in denial of service and private information capture. DHCP service detection can only be done on the local subnet and the following information describes how to do so.
No name available yet - similar to the Zlob trojan. The installed exploit runs a DHCP server which provides DNS server configuration pointing to eastern European locations.
The following utilities can be used to detect active DHCP servers on a subnet. Once the legitimate servers are parsed from the list of MAC addresses, the remaining vales can be matched with ARP and bridge table data to locate compromised computers.
dhcploc: A Windows utility available here.
dhcp_probe: UNIX utility at: http://www.net.princeton.edu/software/dhcp_probe/