By Kevin Murphy (Reprinted with permission from ComputerWire, a Datamonitor Company)
“When I tried it out for first time, when I wrote the proof-of-concept, I had a moment of internal panic when I saw how easy it was to do,” said Symantec senior principal researcher Zulfikar Ramzan, and one of the paper’s authors.
Don’t panic yet. There are no bad guys known to be using the technique, and making your network completely invulnerable is a simple case of setting a strong router password, if you have not done so already.
The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker’s DNS servers. The attacker would have to persuade the user to visit the web page containing the attack code. This could be done with spammed links, or by inserting it into a page on a compromised web server on a popular site. Once the victim’s router was configured to use a bad DNS server, the attacker could redirect any internet domain to the server of his choosing whenever he felt like it, without ever having to touch the victim’s network.
The attacker could, for example, redirect Paypal.com to his own phishing server in order to steal money, or bounce Windowsupdate.com to his own malware distribution site to try to create a botnet.
While users are becoming increasingly savvy to the tell-tale signs of phishing attacks, this new pharming attack would confuse matters further by showing an actual domain in the browser address bar, implying that the user really is where they think they are.
Unlike phishing attacks, which need the user to click on the attacker’s link, pharming attacks work when a user visits a web site of their own volition, and are not on-guard. Pharming has been around as a concept for some time, but it’s not a particularly widespread problem. Previous pharming techniques have involved altering the Hosts file on a victims computer (in which case, you’ve already got access to their machine so you may as well install something more interesting) or breaking into DNS servers at ISPs, which is not easy.
This new attack is much easier. Ramzan said he’s verified it works on routers from D-Link, Netgear and Linksys, three of the major brands, which generally ship with default username/password combinations.
The Indiana researchers informally estimated that about 50% of home network users have not changed the default administrator username and password on their routers.
“A lot of people don’t change their router password,” said Ramzan. “A lot of routers don’t ever take you to a place where you can obviously change your password during installation, they just kinda assume you’ll do that by yourself.”
The paper presents the JavaScript code for conducting the attack against a specific model of D-Link router with the default settings. A single line would only be required for each model with a known default configuration. There are web sites that publish this information.
A more complex attack would be able to determine which model of router the victim is using by first establishing what the router’s internal IP address is and then attempting to load known interface graphics from the router’s web server. This would broaden the base of potential victims.
Because the attack would be delivered as JavaScript embedded in an otherwise normal-looking web page, it would be almost completely transparent to the victim, whether it succeeded or failed.
The Drive-By Pharming paper was published on the Indiana University web site in December, but has yet to be formally published or presented at a conference.
As for the ethics of publishing, potentially putting ideas into the heads of bad guys, Ramzan said that while the attack is fairly straightforward, the solution is even easier. There’s no need to wait for a patch from a vendor.
“There’s a very simple fix for this problem, something people should have been doing all along, which is to change the default password,” he said. “Had there not been a simple solution to it, I would have been much more hesitant about publishing this.”
“We haven’t seen an example of this in the wild, but some of the building blocks are out there,” he said. “It’s really just a matter of time before we do see this.”
The paper was co-authored by Sid Stamm and Markus Jakobsson, both of Indiana University.
