[dns-operations] "remotely changing a home router's DNS server was theoretically possible" (C|Net)
glozano at nic.mx
Tue Jan 22 21:43:50 UTC 2008
The attack is very simple.
2Wire adsl/routers have a section for specifying name to IP address
information which is sent to the client by the resolver on the router.
Here is an image of a compromised adsl/router.
The reason for this feature from the manual is: "The Advanced - DNS
Resolve page allows users to name network devices (such as printers
or Web servers) so that they may be easily accessed by other users on
At 02:28 p.m. 22/01/2008, Francisco Arias wrote:
>At 2008-01-22 16:17, Gadi Evron wrote:
> >Paul Vixie wrote:
> > > in <http://www.news.com/8301-10789_3-9855195-57.html> we see:
> > >
> > > January 22, 2008 10:19 AM PST
> > > Drive-by pharming attack hits home
> > > Posted by Robert Vamosi
> > >
> > > Whenever you type an address into an Internet browser, that address is
> > > instantly resolved into the site's numerical Internet address by
> > a DNS server
> > > located somewhere in the world. On Tuesday, Symantec announced
> that online
> > > criminals have started to remotely redirect your home network
> router's DNS
> > > server so that whenever you type in a financial institution or
> > other trusted
> > > site, your browser will instead be redirected to a bogus or phishing Web
> > > site.
> > >
> > > The practice, called pharming, usually attacks the DNS servers
> > directly, but
> > > this latest attack brings it all home (if you are using broadband
> > > connectivity). Fortunately, the routers and institutions affected by this
> > > current attack are limited to one country, Mexico, but Symantec
> warns that
> > > word of this real-world attack could bring similar attacks elsewhere.
> >I am unsure of what specific attack (malware?) they are talking about
> >which is MX specific, but SYMC is good with PR. I am however
> >increasingly concerned with the ease of compromising broadband routers.
> There is an specific attack against Banamex (one of the
>largest mexican banks) customers redirecting the bank's web page to a
>forged site. The attack modifies the DNS entry on a 2Wire router
>which is fairly popular, as it is distributed by the mexican largest
>ISP (Telmex) to their customers.
> I personally received some of the emails that supposely
>modify the DNS entry some weeks ago, but never tried to see if it was real.
>dns-operations mailing list
>dns-operations at lists.oarci.net
More information about the dns-operations