By Kevin Murphy (Reprinted with permission from ComputerWire, a Datamonitor Company)
“When I tried it out for first time, when I wrote the proof-of-concept, I had a moment of internal panic when I saw how easy it was to do,” said Symantec senior principal researcher Zulfikar Ramzan, and one of the paper’s authors.
Don’t panic yet. There are no bad guys known to be using the technique, and making your network completely invulnerable is a simple case of setting a strong router password, if you have not done so already.
The attacker could, for example, redirect Paypal.com to his own phishing server in order to steal money, or bounce Windowsupdate.com to his own malware distribution site to try to create a botnet.
While users are becoming increasingly savvy to the tell-tale signs of phishing attacks, this new pharming attack would confuse matters further by showing an actual domain in the browser address bar, implying that the user really is where they think they are.
Unlike phishing attacks, which need the user to click on the attacker’s link, pharming attacks work when a user visits a web site of their own volition, and are not on-guard. Pharming has been around as a concept for some time, but it’s not a particularly widespread problem. Previous pharming techniques have involved altering the Hosts file on a victims computer (in which case, you’ve already got access to their machine so you may as well install something more interesting) or breaking into DNS servers at ISPs, which is not easy.
This new attack is much easier. Ramzan said he’s verified it works on routers from D-Link, Netgear and Linksys, three of the major brands, which generally ship with default username/password combinations.
The Indiana researchers informally estimated that about 50% of home network users have not changed the default administrator username and password on their routers.
“A lot of people don’t change their router password,” said Ramzan. “A lot of routers don’t ever take you to a place where you can obviously change your password during installation, they just kinda assume you’ll do that by yourself.”
A more complex attack would be able to determine which model of router the victim is using by first establishing what the router’s internal IP address is and then attempting to load known interface graphics from the router’s web server. This would broaden the base of potential victims.
The Drive-By Pharming paper was published on the Indiana University web site in December, but has yet to be formally published or presented at a conference.
As for the ethics of publishing, potentially putting ideas into the heads of bad guys, Ramzan said that while the attack is fairly straightforward, the solution is even easier. There’s no need to wait for a patch from a vendor.
“There’s a very simple fix for this problem, something people should have been doing all along, which is to change the default password,” he said. “Had there not been a simple solution to it, I would have been much more hesitant about publishing this.”
“We haven’t seen an example of this in the wild, but some of the building blocks are out there,” he said. “It’s really just a matter of time before we do see this.”
The paper was co-authored by Sid Stamm and Markus Jakobsson, both of Indiana University.