[clug] Drive-By Pharming Attack Could Hit Home Networks
kim at holburn.net
Sat Feb 17 09:38:31 GMT 2007
> Drive-By Pharming Attack Could Hit Home Networks
> 15th February 2007
> By Kevin Murphy
> Security researchers at Symantec Corp and Indiana University have
> figured out a way to compromise home networks using a single line
> The attack, which they have called "drive-by pharming", would
> enable attackers to convincingly pretend to be any web site on the
> internet, making it fairly trivial to repeatedly phish for
> sensitive information, install malware on users' machines, or steal
> "When I tried it out for first time, when I wrote the proof-of-
> concept, I had a moment of internal panic when I saw how easy it
> was to do," said Symantec senior principal researcher Zulfikar
> Ramzan, and one of the paper's authors.
> Don't panic yet. There are no bad guys known to be using the
> technique, and making your network completely invulnerable is a
> simple case of setting a strong router password, if you have not
> done so already.
> The attack works because most of the popular home routers ship with
> default passwords, default internal IP address ranges, and web-
> based configuration interfaces.
> router IP address, a default password, and an HTTP query designed
> to reconfigure the router to use the attacker's DNS servers.
> The attacker would have to persuade the user to visit the web page
> containing the attack code. This could be done with spammed links,
> or by inserting it into a page on a compromised web server on a
> popular site.
> Once the victim's router was configured to use a bad DNS server,
> the attacker could redirect any internet domain to the server of
> his choosing whenever he felt like it, without ever having to touch
> the victim's network.
> The attacker could, for example, redirect paypal.com to his own
> phishing server in order to steal money, or bounce
> windowsupdate.com to his own malware distribution site to try to
> create a botnet.
> While users are becoming increasingly savvy to the tell-tale signs
> of phishing attacks, this new pharming attack would confuse matters
> further by showing an actual domain in the browser address bar,
> implying that the user really is where they think they are.
> Previous pharming techniques have involved altering the Hosts file
> on a victims computer (in which case, you've already got access to
> their machine so you may as well install something more
> interesting) or breaking into DNS servers at ISPs, which is not easy.
> This new attack is much easier. Ramzan said he's verified it works
> on routers from D-Link, Netgear and Linksys, three of the major
> brands, which generally ship with default username/password
> The Indiana researchers informally estimated that about 50% of home
> network users have not changed the default administrator username
> and password on their routers.
IT Network & Security Consultant
Ph: +39 06 855 4294 M: +39 3342707610
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the linux