Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Drive-by Pharming and attacks against network infrastructure - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Drive-by Pharming and attacks against network infrastructure

Symantec posted a blog entry about attackers using vulnerabilities in web browsers (CSRF and XSS from our interpretation of the article) to reconfigure home routers/firewalls to change their DNS  servers to enable MITM attacks. They report having seen a number of delivery methods for the attacks including email, and compromised or malicious websites.

The full article is here: http://www.symantec.com/enterprise/security_response/weblog/2008/01/driveby_pharming_in_the_wild.html

Heise.de also has an article about the issue (links to the Symantec post) for those of you who prefer reading german: http://www.heise.de/newsticker/meldung/102281

There are a number of moderately effective mitigations that you can use to prevent this (per Symantec)-

  • change your default password on the router
  • turn off UPnP if you don't have an explicit, serious need for it
  • try using one of the less common RFC 1918 address range

And of course make sure that you are using up to date AV and firewall and IDS and everything else on your internal systems.

One of my fellow handlers pointed out that the most interesting and significant part of this issue is that it marks a change in targeting by attackers. The move from compromising the end-host to targeting the home routers & firewalls (or other infrastructure) has ugly implications about the way we are currently defending our systems.  Ideally a man in the middle attack should always be noticeable, but we all know that people tend to click "accept" way too quickly most of the time.

Toby

68 Posts
Another possible mitigation is to configure the computers on the home LAN to use the ISP's DNS server(s). Hopefully they will be a bit more resistant to tampering than the home router DNS server.
Realistically, these guidelines will only affect a small percentage of the devices at risk because the largest set of home routers/firewalls do not have administrators that will understand these guidelines.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!