Last Updated: 2008-01-24 02:11:21 UTC
by Toby Kohlenberg (Version: 1)
Symantec posted a blog entry about attackers using vulnerabilities in web browsers (CSRF and XSS from our interpretation of the article) to reconfigure home routers/firewalls to change their DNS servers to enable MITM attacks. They report having seen a number of delivery methods for the attacks including email, and compromised or malicious websites.
The full article is here: http://www.symantec.com/enterprise/security_response/weblog/2008/01/driveby_pharming_in_the_wild.html
Heise.de also has an article about the issue (links to the Symantec post) for those of you who prefer reading german: http://www.heise.de/newsticker
There are a number of moderately effective mitigations that you can use to prevent this (per Symantec)-
- change your default password on the router
- turn off UPnP if you don't have an explicit, serious need for it
- try using one of the less common RFC 1918 address range
And of course make sure that you are using up to date AV and firewall and IDS and everything else on your internal systems.
One of my fellow handlers pointed out that the most interesting and significant part of this issue is that it marks a change in targeting by attackers. The move from compromising the end-host to targeting the home routers & firewalls (or other infrastructure) has ugly implications about the way we are currently defending our systems. Ideally a man in the middle attack should always be noticeable, but we all know that people tend to click "accept" way too quickly most of the time.