[dns-operations] "remotely changing a home router's DNS server was theoretically possible" (C|Net)

Paul Vixie paul at vix.com
Tue Jan 22 19:07:03 UTC 2008

in <http://www.news.com/8301-10789_3-9855195-57.html> we see:

January 22, 2008 10:19 AM PST
Drive-by pharming attack hits home
Posted by Robert Vamosi 

Whenever you type an address into an Internet browser, that address is
instantly resolved into the site's numerical Internet address by a DNS server
located somewhere in the world. On Tuesday, Symantec announced that online
criminals have started to remotely redirect your home network router's DNS
server so that whenever you type in a financial institution or other trusted
site, your browser will instead be redirected to a bogus or phishing Web

The practice, called pharming, usually attacks the DNS servers directly, but
this latest attack brings it all home (if you are using broadband
connectivity). Fortunately, the routers and institutions affected by this
current attack are limited to one country, Mexico, but Symantec warns that
word of this real-world attack could bring similar attacks elsewhere. 

Last year, researchers at Symantec and the University of Indiana reported
that remotely changing a home router's DNS server was theoretically
possible. The theoretical attack used Javascript on a specially crafted Web
page, and affected only wireless routers. The attack in use today uses e-mail,
and it can affect non-wireless routers as well. 

According to a blog by Zulfikar Ramzan, a researcher at Symantec, "the
attackers embedded the malicious code inside an e-mail that claimed it had an
e-card waiting for you at the Web site gusanito.com. Unfortunately the e-mail
also contained an HTML IMG tag that resulted in an HTTP GET request being made
to a router (the make of which is a popular router model in Mexico). The GET
request modified the router's DNS settings so that the URL for a popular
Mexico-based banking site (as well as other related domains) would be mapped
to an attacker's Web site." 

The best way to prevent becoming a victim is to change your network router's
default password. Default router passwords are not a secret and are available
on the Internet, so if you haven't ever changed your network router's
password, now is a good time. Syamntec's Ramzan further recommends performing
a hard reset of your router first, just in case you are already compromised. 

If choosing a router password intimidates you, Ramzan also points out that if
you ever do forget your new password, you can always do a hard reset on the
box in the future (something a remote hacker can't do) and choose a new
password later. 

TOPICS: Criminal Hackers, Phishing, Security

TAGS: security, drive-by pharming, pharming, Zulfikar Ramzan, symantec,
 University of Indiana, router, passwords

More information about the dns-operations mailing list