Drive-by pharming revealed (and curious music)

Is that really Friday's IT Blogwatch? In which Symantec reveals a worrying home router DNS spoofing concept. Not to mention a batch of odd music, including a bonus video...

Robert McMillan reports:

If you haven't changed the default password on your home router, do so now. That's what researchers at Symantec Corp. and Indiana University are saying, after publishing the results of tests that show how attackers could take over your home router using malicious JavaScript code.


For the attack to work, the bad guys would need a couple of things to go their way. First, the victim would have to visit a malicious Web site that served up the JavaScript. Second, the victim's router would have to still use the default password that it's pre-configured with it out of the box. In tests, the researchers were able to do things like change firmware and redirect a ... router to look up Web sites from a DNS (Domain Name System) server of their choosing.


At the heart of the problem is the fact that consumer routers ship with simple, well-known default passwords, like "admin," which could be exploited by attackers.

Erik Larkin has more:

In a real attack (of which there aren't yet any known, thankfully), the hijacked router could send anyone on that home network to their own phishing site instead of, say, You'd end up at the phishing site even if you used best practices like using your own bookmark or typing the address in - and the browser address would display the supposedly real URL. Or, as has happened in previous DNS attacks, the attacker might just redirect any connection to a poisoned Web site that tries to bust your browser and install a bunch of spyware.

Symantec's Zulfikar Ramzan is the horse's mouth:

I wanted to talk about a recent new attack, called Drive-By Pharming, which I co-developed with Sid Stamm and Markus Jakobsson of the Indiana University School of Informatics. It allows attackers to create a Web page that, simply when viewed, results in substantive configuration changes to your home broadband router or wireless access point. As a result, attackers gain complete control over the conduit by which you surf the Web, allowing them to direct you to sites they designed (no matter what Web address you direct your Web browser to). I believe this attack has serious widespread implications and affects many millions of users worldwide. Fortunately, this attack is easy to defend against as well.


Real-world analogy ... Imagine that whenever you wanted to go to your bank, you picked up your phone directory, looked up the bank’s address, and then went there. Our attack shows a simple way that attackers can replace the phone books in your house with one that they created. Now, when you pick up that rogue phone book to get your bank’s address, it’ll actually give you the wrong address. At this wrong address, the attackers will have set up a fake bank that looks just like your bank.

[Ramzan also offers a cute flash demo]

Sid Stamm has some background:

I recently developed this with Zulfikar Ramzan from Symantec, who forwarded to my advisor (Markus) an interesting Black Hat talk by Jeremiah Grossman. Markus in turn forwarded to me and that's when it struck me that we could similarly mount a pharming attack without playing man-in-the-middle - all it takes is a tweak of the router's DNS server setting, and a whole home network is pharmed. Coupled with the idea that roughly 50% of broadband routers still use the default password, this attack affects a whole lot of people.

IBM's Rocky Oliver isn't bothered by the voices in his head:

There are a variety of ways your (wireless) router can be exploited - this is just the latest. Of course, wireless routers are much less secure by their very nature. It is fertile ground for hackers, phishers, etc. - and this is not because wireless routers are particularly insecure, it is mainly because neophyte users have no idea how to take advantage of the security measures built into the router. To avoid these potential vulnerabilities there are a couple of steps you should take, at a minimum, when setting up a wireless network.


Every geek - and I mean EVERY geek - who has an interest in wireless networks knows the default password to every router on the market, or can simply Google it to find it (don't believe me? Take a look here.) This means that a router that is set up out of the box without any changes is wide open - for access AND configuration - to anyone who wants to access it.

Bot-expert Gadi Evron discusses:

The one thing about the folks at SYMC who did this release is that they actually know their ****. Meaning, someone took these two technology ideas and made something new from them, which is: Break into wireless routers and put your DNS server in them for hijacking purposes ... It’s cool, it’s “new” and it won’t be a huge problem quite yet ... This is much like the days when bots weretrojan horses as botnets didn’t yet exist.

GOOD NEWS: these are DNS servers we can take-down. Fun, yet another escalation war ... Nice work by the guys at Symantec.

Alfredo Reino sums it up:

It’s really a combination of different things: getting the victim to browse a malicious webpage, which uses “Cross-Site Request Forgery” to logon to the broadband router using default passwords, and changing the DNS configuration to hijack the user’s sessions, redirecting subsequent browsing to malicious sites. It seems convoluted, but apparently it works.

Jed Mallen thinks of the implications:

Fact: a lot of dsl router/modems have default user/passwords. Users rarely, if ever, change them ... An attacker controlled DNS server can point insert your favorite webmail/online banking/online shopping site here to his own mock-up of the site and no one is wiser.

KoolMoe will be sad to see more people secure their routers:

I am thankful for those who do not secure their wireless connections. Power out at my house for two days now. Staying at Grandma's and she has no net connection...but some neighbor does and has no security on their router. Sweet.

Dan Goodin has the... uhhh... bottom line: [you're fired -Ed.]

Still using the default password that came with that nice broadband router you installed at home? Time to get off your butt and change it.

Buffer overflow:

Around the Net Around Computerworld Previously in IT Blogwatch

And finally... Ten albums in ten minutes. Or, if MP3s aren't your bag, try this: Fit Song by the Japanese group Cornelius

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon