[dns-operations] "remotely changing a home router's DNS server was theoretically possible" (C|Net)

Peter Dambier peter at peter-dambier.de
Tue Jan 22 19:53:56 UTC 2008

For me the best solution is:

Forget your router as resolver.

There are cheap boxes arround who do not have a resolver at all but simply
repeat your ISP's resolvers via DHCP answer.

Others have some doubtfule resolver, rarely a bind never an uptodate one.

Almost everybody with a decent operating system can have either djbdns or
bind on his laptop. The windows people can at least have an almost uptodate

Support farming. Have some crackers for breakfast.

I guess there is mostly nothing a remote hacker cannot do.

They even flushed the flash of my router. Oh, yes I have changed
the password and I unplucked the DSL-cable when I was seeing what
happend. I guess they would not have flushed but flashed my router.

So it was me who had to do it finally :)

When I tell you, while the attack lasted I could not use my phone.
You probably know who the hackers were.

There is no connection between my ISDN phone and my DLS-router
except for the splitter. I have no computer connected to the ISDN.

Peter and Karin

Paul Vixie wrote:
> in <http://www.news.com/8301-10789_3-9855195-57.html> we see:
> January 22, 2008 10:19 AM PST
> Drive-by pharming attack hits home
> Posted by Robert Vamosi 
> Whenever you type an address into an Internet browser, that address is
> instantly resolved into the site's numerical Internet address by a DNS server
> located somewhere in the world. On Tuesday, Symantec announced that online
> criminals have started to remotely redirect your home network router's DNS
> server so that whenever you type in a financial institution or other trusted
> site, your browser will instead be redirected to a bogus or phishing Web
> site. 
> The practice, called pharming, usually attacks the DNS servers directly, but
> this latest attack brings it all home (if you are using broadband
> connectivity). Fortunately, the routers and institutions affected by this
> current attack are limited to one country, Mexico, but Symantec warns that
> word of this real-world attack could bring similar attacks elsewhere. 
> Last year, researchers at Symantec and the University of Indiana reported
> that remotely changing a home router's DNS server was theoretically
> possible. The theoretical attack used Javascript on a specially crafted Web
> page, and affected only wireless routers. The attack in use today uses e-mail,
> and it can affect non-wireless routers as well. 
> According to a blog by Zulfikar Ramzan, a researcher at Symantec, "the
> attackers embedded the malicious code inside an e-mail that claimed it had an
> e-card waiting for you at the Web site gusanito.com. Unfortunately the e-mail
> also contained an HTML IMG tag that resulted in an HTTP GET request being made
> to a router (the make of which is a popular router model in Mexico). The GET
> request modified the router's DNS settings so that the URL for a popular
> Mexico-based banking site (as well as other related domains) would be mapped
> to an attacker's Web site." 
> The best way to prevent becoming a victim is to change your network router's
> default password. Default router passwords are not a secret and are available
> on the Internet, so if you haven't ever changed your network router's
> password, now is a good time. Syamntec's Ramzan further recommends performing
> a hard reset of your router first, just in case you are already compromised. 
> If choosing a router password intimidates you, Ramzan also points out that if
> you ever do forget your new password, you can always do a hard reset on the
> box in the future (something a remote hacker can't do) and choose a new
> password later. 
> TOPICS: Criminal Hackers, Phishing, Security
> TAGS: security, drive-by pharming, pharming, Zulfikar Ramzan, symantec,
>  University of Indiana, router, passwords
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
D-69509 Moerlenbach-Bonsweiher
+49(6209)795-816 (Telekom)
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de

More information about the dns-operations mailing list