According to my colleague at Symantec, Drive-By Pharming has been spotted in the wild.
Maybe this indicates that attackers read academic papers?
I presented our paper (finally) in China last December. It was pretty fun...
Showing posts with label drive-by pharming. Show all posts
Showing posts with label drive-by pharming. Show all posts
Tuesday, January 22, 2008
Friday, February 16, 2007
drive-by pharming
If you have not set a hard-to-guess password on your broadband router, do it now. There's a way attackers can compromise your router from the inside using simple JavaScript.
The basic idea is this: you visit a malicious website and it distracts you. While you're distracted (playing a game, reading news, etc), it runs JavaScript code to scan your internal network and identify the IP address of your router. Once discovered, the malicious script can send "reconfiguration requests" to the router to attempt setting the DNS server your network uses. If successful, all DNS queries can be directed through an attacker's server, thus Pharming you. For technical details, please see our tech report, but in brief this attack is not complex.
The solution: make your router's admin password hard to guess.
I recently developed this with Zulfikar Ramzan from Symantec, who forwarded to my advisor (Markus) an interesting Black Hat talk by Jeremiah Grossman. Markus in turn forwarded to me and that's when it struck me that we could similarly mount a pharming attack without playing man-in-the-middle - all it takes is a tweak of the router's DNS server setting, and a whole home network is pharmed. Coupled with the idea that roughly 50% of broadband routers still use the default password, this attack affects a whole lot of people.
Symantec PR picked up on what we did, and issued a press release today:
(Symantec Press Release)
Read More:
(Zully's Blog Post)
(Tech Report)
Select Media Coverage:
(Google aggregate)
(Info World -- IDG article)
(Forbes)
(Appscout)
(BroadbandReports.com -- amusing comments thread)
(Washington Post Blog)
(Red Herring)
(Computer World)
Update (16-Feb-07 9:30am ET): The story got picked up by Forbes ad the Washington Post, and the Google News index on "Drive-by Pharming" is roughly fifty-something.
My Favorite Headlines:
Researchers highlight a router route to pharming
New Drive-By Attack Taking Over Home Routers
Broadband routers welcome drive-by hackers
Change Your Router Password NOW!
Update (16-Feb-07 10:30am ET): Slashdot picked it up.
The basic idea is this: you visit a malicious website and it distracts you. While you're distracted (playing a game, reading news, etc), it runs JavaScript code to scan your internal network and identify the IP address of your router. Once discovered, the malicious script can send "reconfiguration requests" to the router to attempt setting the DNS server your network uses. If successful, all DNS queries can be directed through an attacker's server, thus Pharming you. For technical details, please see our tech report, but in brief this attack is not complex.
The solution: make your router's admin password hard to guess.
I recently developed this with Zulfikar Ramzan from Symantec, who forwarded to my advisor (Markus) an interesting Black Hat talk by Jeremiah Grossman. Markus in turn forwarded to me and that's when it struck me that we could similarly mount a pharming attack without playing man-in-the-middle - all it takes is a tweak of the router's DNS server setting, and a whole home network is pharmed. Coupled with the idea that roughly 50% of broadband routers still use the default password, this attack affects a whole lot of people.
Symantec PR picked up on what we did, and issued a press release today:
(Symantec Press Release)
Read More:
(Zully's Blog Post)
(Tech Report)
Select Media Coverage:
(Google aggregate)
(Info World -- IDG article)
(Forbes)
(Appscout)
(BroadbandReports.com -- amusing comments thread)
(Washington Post Blog)
(Red Herring)
(Computer World)
Update (16-Feb-07 9:30am ET): The story got picked up by Forbes ad the Washington Post, and the Google News index on "Drive-by Pharming" is roughly fifty-something.
My Favorite Headlines:
Researchers highlight a router route to pharming
New Drive-By Attack Taking Over Home Routers
Broadband routers welcome drive-by hackers
Change Your Router Password NOW!
Update (16-Feb-07 10:30am ET): Slashdot picked it up.
Subscribe to:
Posts (Atom)