[dns-operations] "remotely changing a home router's DNS server was theoretically possible" (C|Net)
peter at peter-dambier.de
Tue Jan 22 19:53:56 UTC 2008
For me the best solution is:
Forget your router as resolver.
There are cheap boxes arround who do not have a resolver at all but simply
repeat your ISP's resolvers via DHCP answer.
Others have some doubtfule resolver, rarely a bind never an uptodate one.
Almost everybody with a decent operating system can have either djbdns or
bind on his laptop. The windows people can at least have an almost uptodate
Support farming. Have some crackers for breakfast.
I guess there is mostly nothing a remote hacker cannot do.
They even flushed the flash of my router. Oh, yes I have changed
the password and I unplucked the DSL-cable when I was seeing what
happend. I guess they would not have flushed but flashed my router.
So it was me who had to do it finally :)
When I tell you, while the attack lasted I could not use my phone.
You probably know who the hackers were.
There is no connection between my ISDN phone and my DLS-router
except for the splitter. I have no computer connected to the ISDN.
Peter and Karin
Paul Vixie wrote:
> in <http://www.news.com/8301-10789_3-9855195-57.html> we see:
> January 22, 2008 10:19 AM PST
> Drive-by pharming attack hits home
> Posted by Robert Vamosi
> Whenever you type an address into an Internet browser, that address is
> instantly resolved into the site's numerical Internet address by a DNS server
> located somewhere in the world. On Tuesday, Symantec announced that online
> criminals have started to remotely redirect your home network router's DNS
> server so that whenever you type in a financial institution or other trusted
> site, your browser will instead be redirected to a bogus or phishing Web
> The practice, called pharming, usually attacks the DNS servers directly, but
> this latest attack brings it all home (if you are using broadband
> connectivity). Fortunately, the routers and institutions affected by this
> current attack are limited to one country, Mexico, but Symantec warns that
> word of this real-world attack could bring similar attacks elsewhere.
> Last year, researchers at Symantec and the University of Indiana reported
> that remotely changing a home router's DNS server was theoretically
> page, and affected only wireless routers. The attack in use today uses e-mail,
> and it can affect non-wireless routers as well.
> According to a blog by Zulfikar Ramzan, a researcher at Symantec, "the
> attackers embedded the malicious code inside an e-mail that claimed it had an
> e-card waiting for you at the Web site gusanito.com. Unfortunately the e-mail
> also contained an HTML IMG tag that resulted in an HTTP GET request being made
> to a router (the make of which is a popular router model in Mexico). The GET
> request modified the router's DNS settings so that the URL for a popular
> Mexico-based banking site (as well as other related domains) would be mapped
> to an attacker's Web site."
> The best way to prevent becoming a victim is to change your network router's
> default password. Default router passwords are not a secret and are available
> on the Internet, so if you haven't ever changed your network router's
> password, now is a good time. Syamntec's Ramzan further recommends performing
> a hard reset of your router first, just in case you are already compromised.
> If choosing a router password intimidates you, Ramzan also points out that if
> you ever do forget your new password, you can always do a hard reset on the
> box in the future (something a remote hacker can't do) and choose a new
> password later.
> TOPICS: Criminal Hackers, Phishing, Security
> TAGS: security, drive-by pharming, pharming, Zulfikar Ramzan, symantec,
> University of Indiana, router, passwords
> dns-operations mailing list
> dns-operations at lists.oarci.net
Peter and Karin Dambier
Cesidian Root - Radice Cesidiana
Rimbacher Strasse 16
+49(6252)750-308 (VoIP: sipgate.de)
mail: peter at peter-dambier.de
More information about the dns-operations