[dns-operations] Drive-by Pharming Threat (fwd)

Gadi Evron ge at linuxbox.org
Fri Feb 16 02:02:09 UTC 2007

On Fri, 16 Feb 2007, Fergie wrote:
> Hash: SHA1
> I don't know -- I found this whole "report" somewhat dubious, if
> not downright opportunist: hasn't this "vulnerability" basically
> existed since, like, forever?
> I write it off as marketing opportunism... among other things. :-)

Well duh. Think RSA and a brand new idea they did a PR about - Phishing
MiTM kit (think phishing: user >> fake site >> bank).

Nothing is really new in security, we have seen malware/etc. change the
hosts file for years now, not to mention domain hijacking.

We have also seen wireless brute-forcing/etc./what-not.

The one thing about the folks at SYMC who did this release is that they
actually know their ****. Meaning, someone took these two technology ideas
and made something new from them, which is:
Break into wireless routers and put your DNS server in them for hijacking
purposes. Symantec just reported it to us.

It's cool, it's "new" and it won't be a huge problem quite yet.

I remember a thread from NANOG a couple of years back when I mentioned
Google and all these other national/International wireless providers
better be ready with physical operational folks that will track down rouge
APs, etc. Cop cars with triangulation devices? :)

It was a vulnerability waiting to happen which wasn't exploited, meaning
it didn't get much attention. This is much like the days when bots were
trojan horses as botnets didn't yet exist.

Wireless used to be used for hacking into a network-connected machine, now
it is suddenly used for the sake of it being wireless. Still
network-connected as a goal, but it is no longer just TCP/IP which plays
the game.

GOOD NEWS: these are DNS servers we can take-down. Fun, yet another
escalation war.


> - - ferg
> - -- Gadi Evron <ge at linuxbox.org> wrote:
> - ---------- Forwarded message ----------
> Date: Thu, 15 Feb 2007 13:02:46 -0800
> From: Zulfikar Ramzan <Zulfikar_Ramzan at symantec.com>
> To: bugtraq at securityfocus.com
> Subject: Drive-by Pharming Threat
> We discovered a new potential threat that we term "Drive-by Pharming".  An
> attacker can create a web page containing a simple piece of malicious
> JavaScript code.  When the page is viewed, the code makes a login attempt
> into the user's home broadband router and attempts to change its DNS server
> settings (e.g., to point the user to an attacker-controlled DNS server).  
> Once the user's machine receives the updated DNS settings from the router
> (e.g., after the machine is rebooted) future DNS request are made to and
> resolved by the attacker's DNS server.   
> The main condition for the attack to be successful is that the attacker can
> guess the router password (which can be very easy to do since these home
> routers come with a default password that is uniform, well known, and often
> never changed).  Note that the attack does not require the user to download
> any malicious software - simply viewing a web page with the malicious
> JavaScript code is enough.  
> We've written proof of concept code that can successfully carry out the
> steps of the attack on Linksys, D-Link, and NETGEAR home routers.  If users
> change their home broadband router passwords to something difficult for an
> attacker to guess, they are safe from this threat. 
> Additional details on the attack can be found at: 
> http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby
> _pharming_how_clicking_1.html  
> Thanks,
> Zulfikar Ramzan
> ________________________________________
> Zulfikar Ramzan
> Sr. Principal Security Researcher
> Advanced Threat Research
> Symantec Corporation
> www.symantec.com
> - -----------------------------------------------------
> - -----------------------------------------------------
> This message (including any attachments) is intended only for the use of
> the individual or entity to which it is addressed and may contain
> information that is non-public, proprietary, privileged, confidential, and
> exempt from disclosure under applicable law or may constitute as attorney
> work product. If you are not the intended recipient, you are hereby
> notified that any use, dissemination, distribution, or copying of this
> communication is strictly prohibited. If you have received this
> communication in error, notify us immediately by telephone and (i) destroy
> this message if a facsimile or (ii) delete this message immediately if this
> is an electronic communication. Thank you.
> [snip]
> Version: PGP Desktop 9.5.3 (Build 5003)
> wj8DBQFF1Q1yq1pz9mNUZTMRAs7ZAJ4oCtoThWsAPZ4lm51+VwnIktt63ACg/X9q
> kGttJK1h51EOhqszgef1eCk=
> =yTda
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  fergdawg(at)netzero.net
>  ferg's tech blog: http://fergdawg.blogspot.com/

More information about the dns-operations mailing list