[dns-operations] "remotely changing a home router's DNS server was theoretically possible" (C|Net)

Gustavo Lozano glozano at nic.mx
Tue Jan 22 21:43:50 UTC 2008

The attack is very simple.

2Wire adsl/routers have a section for specifying name to IP address 
information which is sent to the client by the resolver on the router.

Here is an image of a compromised adsl/router.


The reason for this feature from the manual is: "The Advanced - DNS 
Resolve page allows users to name network devices (such as printers 
or Web servers) so that they may be easily accessed by other users on 
the network."

Gustavo Lozano

At 02:28 p.m. 22/01/2008, Francisco Arias wrote:
>At 2008-01-22 16:17, Gadi Evron wrote:
> >Paul Vixie wrote:
> > > in <http://www.news.com/8301-10789_3-9855195-57.html> we see:
> > >
> > > January 22, 2008 10:19 AM PST
> > > Drive-by pharming attack hits home
> > > Posted by Robert Vamosi
> > >
> > > Whenever you type an address into an Internet browser, that address is
> > > instantly resolved into the site's numerical Internet address by
> > a DNS server
> > > located somewhere in the world. On Tuesday, Symantec announced 
> that online
> > > criminals have started to remotely redirect your home network 
> router's DNS
> > > server so that whenever you type in a financial institution or
> > other trusted
> > > site, your browser will instead be redirected to a bogus or phishing Web
> > > site.
> > >
> > > The practice, called pharming, usually attacks the DNS servers
> > directly, but
> > > this latest attack brings it all home (if you are using broadband
> > > connectivity). Fortunately, the routers and institutions affected by this
> > > current attack are limited to one country, Mexico, but Symantec 
> warns that
> > > word of this real-world attack could bring similar attacks elsewhere.
> >
> >I am unsure of what specific attack (malware?) they are talking about
> >which is MX specific, but SYMC is good with PR. I am however
> >increasingly concerned with the ease of compromising broadband routers.
>          There is an specific attack against Banamex (one of the
>largest mexican banks) customers redirecting the bank's web page to a
>forged site. The attack modifies the DNS entry on a 2Wire router
>which is fairly popular, as it is distributed by the mexican largest
>ISP (Telmex) to their customers.
>          I personally received some of the emails that supposely
>modify the DNS entry some weeks ago, but never tried to see if it was real.
>dns-operations mailing list
>dns-operations at lists.oarci.net

More information about the dns-operations mailing list