[clug] Drive-By Pharming Attack Could Hit Home Networks

Kim Holburn kim at holburn.net
Sat Feb 17 09:38:31 GMT 2007

> Drive-By Pharming Attack Could Hit Home Networks
> 15th February 2007
> By Kevin Murphy
> Security researchers at Symantec Corp and Indiana University have  
> figured out a way to compromise home networks using a single line  
> of JavaScript in a web page.
> The attack, which they have called "drive-by pharming", would  
> enable attackers to convincingly pretend to be any web site on the  
> internet, making it fairly trivial to repeatedly phish for  
> sensitive information, install malware on users' machines, or steal  
> email.
> Advertisement
> "When I tried it out for first time, when I wrote the proof-of- 
> concept, I had a moment of internal panic when I saw how easy it  
> was to do," said Symantec senior principal researcher Zulfikar  
> Ramzan, and one of the paper's authors.
> Don't panic yet. There are no bad guys known to be using the  
> technique, and making your network completely invulnerable is a  
> simple case of setting a strong router password, if you have not  
> done so already.
> The attack works because most of the popular home routers ship with  
> default passwords, default internal IP address ranges, and web- 
> based configuration interfaces.
> The exploit is a single line of JavaScript loaded with a default  
> router IP address, a default password, and an HTTP query designed  
> to reconfigure the router to use the attacker's DNS servers.
> The attacker would have to persuade the user to visit the web page  
> containing the attack code. This could be done with spammed links,  
> or by inserting it into a page on a compromised web server on a  
> popular site.
> Once the victim's router was configured to use a bad DNS server,  
> the attacker could redirect any internet domain to the server of  
> his choosing whenever he felt like it, without ever having to touch  
> the victim's network.
> The attacker could, for example, redirect paypal.com to his own  
> phishing server in order to steal money, or bounce  
> windowsupdate.com to his own malware distribution site to try to  
> create a botnet.
> While users are becoming increasingly savvy to the tell-tale signs  
> of phishing attacks, this new pharming attack would confuse matters  
> further by showing an actual domain in the browser address bar,  
> implying that the user really is where they think they are.


> Previous pharming techniques have involved altering the Hosts file  
> on a victims computer (in which case, you've already got access to  
> their machine so you may as well install something more  
> interesting) or breaking into DNS servers at ISPs, which is not easy.
> This new attack is much easier. Ramzan said he's verified it works  
> on routers from D-Link, Netgear and Linksys, three of the major  
> brands, which generally ship with default username/password  
> combinations.
> The Indiana researchers informally estimated that about 50% of home  
> network users have not changed the default administrator username  
> and password on their routers.

Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3342707610
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the linux mailing list