Drive-By Pharming In the Wild

An anonymous reader writes "Symantec reported Tuesday that the first case of drive-by pharming, in which a hacker changes the DNS settings on a customer's broadband router or wireless access point and directs the link to a fraudulent Web site, has been observed in the wild. The first drive-by pharming attack has been observed against a Mexican bank: 'It's associated with an e-mail pretending to be from a legitimate Spanish-language e-greeting card company, Gusanito.com,' says Symantec Security Response principal researcher Zulfikar Ramzan. Inside the e-mail is an HTML image tag but instead of displaying images, it sends a request to the home router to tamper with it."

Pfft

[Kalriath]

So, I suppose this "hack" fails entirely on any router which... well, either has a default password or (like any high end router) doesn't use HTTP basic authentication? No worries for me, my 3com is safe as houses.

Captcha?

[tedhiltonhead]

It sounds like a simple captcha image on the router's login page would thwart this.

Re:Captcha?

[cheater512]

Or maybe force users to change the password.

Which one makes more sense? :P

Biggest Mexican Bank?

[xtracto]

2Wire DSL routers to point the user's Web browser to a fraudulent bank site that mimics the site of one of the largest Mexican banks.

There is not much space to guess here, it is either Banamex or Bancomer...

Re:Biggest Mexican Bank?

[nesmex]

Well yes is Banamex. This attack was reported during late last year. This exploits a vulnerability in 2WIRE modems, as documented in US-CERT http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389
Trend Micro has a more recent report on a variation of this attack http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/
The UNAM-CERT, also has the "Gusanito" exploit documented (spanish only) at http://www.seguridad.unam.mx/doc/?ap=articulo&id=196
The attack overrides the modem's password...

Definition?

[WarJolt]

What does "drive-by" have to do with this kind of hack? Oh sure we've all logged into neighbors wireless routers and snickered because they've left the default password. Somehow I think "drive-by" part was coined by a guy who thought of exploiting unsecured wireless routers and changing DNS settings. Am I the only one who doesn't think "drive-by" applies to this kind of attack?

Re:Definition?

[Vyse+of+Arcadia]

I dunno about anyone else, but to me it conjures up images of 90s-era Hollywood hackers. Suave guy in the driver's seat of a red car, his short, befreckled and bespectacled companion laboriously typing on a laptop while muttering things about "This is UNIX" and "His serving RAM is so unprocessed."

British Telecom Home Hub

[ddrichardson]

Anyone else notice that BT are taking this seriously - log on to the router's home page and it tells you they have changed the default admin password (well it will when you enter the unit's serial number as the admin password.

Enough with the default passwords.

[GreggBz]

If Bioware can sell $30 software with unique CD-Keys printed on the inside of each jewel case, why can't Linksys sell $40 routers with unique admin passwords printed on each manual. Or better yet, make the default password the last 6 digits of the LAN side MAC address, that can't be terribly hard to manufacture.

Seriously, you could even honestly market them as "more secure."

Re:Enough with the default passwords.

[moderatorrater]

Several reasons. First, it's easier to change what gets stamped into a cd than what gets set into the silicon. Second, the cd key isn't actually unique to the CD, it just conforms to an algorithm that determines whether or not the cd key fits the criteria for the software and then, when on the network, checks to make sure that the cd key was actually sold and that it's unique.

Re:Enough with the default passwords.

[blair1q]

Because software can pop up a box on your screen saying "go look for the sticker on the box and type the letters and numbers (and maybe the dashes or maybe not, your guess is as good as ours) you see there into this box here then click the button that says 'OK'".

Hardware says "blink"..."blink"..."blink"... and user calls customer support, adding $10 to the cost of every sale.

Re:Enough with the default passwords.

[Compholio]

It would be trivial to use the LAN MAC address as the default password.

It would also be trivial for someone to run "arp" while connected to your access point. I agree that they need to use a random default password, but the MAC address would not be sufficient.

Re:Enough with the default passwords.

[crymeph0]

It's easier to change what gets stamped into a cd than what gets set into the silicon

Nope. I do embedded software, and write the test suite all those devices go through before being shipped to the customer. It's pretty standard to set custom stuff at that time, including the MAC ID for the unit. It would be just as easy to change the password at that time.

Your comment about the CD key, however, is right on.

Gusanito??

[Roadmaster]

Dude, gusanito means literally "little worm"; I personally would never open an email saying "hey, you got a postcard from a little worm!". I don't know who would...

Fankly, I'm suprised

[Itninja]

...that this doesn't happen more often. I can drive through Seattle (and presumably any large city) with my laptop running a wireless network sniffer. After about 10 blocks, I could easily get into no less than 25 wireless routers. They are all configured with the default credentials. Of course, I don't. Sometimes, when it's a law firm, government agency, or some other organization with tons of [other peoples] personal information, I will even call them up and let them know about it, as a courtesy. They usually tell me to take a hike. Then I can show up at their door offering my services as a 'security consultant' (for $200/hr). 'Look here' I say. 'Look how I am easily changing the settings in your router.'. That's usually about the time they wet their $400 slacks and write me a check.

Re:Fankly, I'm suprised

I presume you're being funny. What you're doing there is just as likely to land you in the hoosegow as a suspected terrorist or something of that nature as it is to make you money. This is not a time in U.S. history where being a Good Samaritan is even remotely a good idea.

Re:Fankly, I'm suprised

[canUbeleiveIT]

...that this doesn't happen more often. I can drive through Seattle (and presumably any large city) with my laptop running a wireless network sniffer. After about 10 blocks, I could easily get into no less than 25 wireless routers. They are all configured with the default credentials. Of course, I don't. Sometimes, when it's a law firm, government agency, or some other organization with tons of [other peoples] personal information, I will even call them up and let them know about it, as a courtesy. They usually tell me to take a hike. Then I can show up at their door offering my services as a 'security consultant' (for $200/hr). 'Look here' I say. 'Look how I am easily changing the settings in your router.'. That's usually about the time they wet their $400 slacks and write me a check.
--

"It's a simple question, doctor.
Would you eat the moon if it was made of ribs, or not?"

CORRECTION: Would you eat the moon if it were made of ribs, or not?

In this case, the verb "to be" is in the subjunctive mood, which is used to indicate a situation that is hypothetical, conditional or somehow not certain.

Now, this correction is just a courtesy. However, if you tell me to take a hike, I will show up at your door with A Writer's Reference by Diana Hacker, and you can scratch me out a check. Sorry, I don't know how much you paid for your pants.

Re:Fankly, I'm suprised

[canUbeleiveIT]

You don't correct the grammar of a quote, douchebag.

You do if the quote is quoted incorrectly with poor grammar, douchebag.

Idiots with default passwords get pwnd, news at 11

nothing to see here... move along, folks

DNS cache poisoning

[the_kanzure]

src

The paper shows that BIND 9 DNS queries are predictable i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides very few guesses for the "next" query (10 in the basic attack, and 1 in the advanced attack), thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS cache poisoning than the currently known attacks against BIND 9. The net effect is that pharming attacks are feasible against BIND 9 caching DNS servers, without the need to directly attack neither DNS servers nor clients (PCs). The results are applicable to all BIND 9 releases [1], when BIND (the named daemon) is in caching DNS server configuration.

Langfeldt's DNS how-to

Most Pooter owners too dumb to own one

If you have a home network, there are several ways to secure it. Every router that I have ever owned have several characteristics. Look for the 'reset' key, make sure it is there and not like Asante where you have to short terminals 3 and 8 on the serial port...showin my age there folks. Make sure it is a real router and not a windows appendage. Do NOT use a PCI modem that you cannot disconnect fast. Use an external modem on a SERIAL port. Do not use a combination cable modem/router. This is foisted on many users, and as a default feature sets up remote administration from the outside. That remote admin 'feature' is 'supposed to allow customer engineers to help......' you out of all your money. Don't surf as administrator if microsoftintheheady or as root if a linux penguin. Thats just askin to get hosed. Yeah, I'm a ramblin old fart, but all these things I have picked up from experience. Definitely change the default password, 'admin' or whatever on the router to something realllly strange and long. Write that password down and put it in your wallet, your wife's ring box, or whatever. Do not even try to memorize it as you will forget it when you need it. Don't use 'DHCP' that routers and network vendors want you to do. This means that all home networks are on 192.168.1.0 or some predictable net address that all hackers try first. Use a REAL network with a real address like 192.168.205.89 or something. This forces hackers to really fail many many times in guessing your network setup. With a real network, hand out your own addresses and make them random in the third and fourth hex digits so that hackers will have to guess out each and every terminal on your net. Now add MAC security to your router so that the hacker not only has to correctly guess from a crore of non standard addresses to address it, but only those with the right computer NIC can even be qualified to guess the password! Having a switch available to shut down suspects in a hurry helps too. I could go on, but if you have followed all this rambling, print it out and do it.

Re:Most Pooter owners too dumb to own one

[adolf]

Good advice.

But you forgot something: When a friend brings their PC/PSP/PS3/Wii/Xbox/iPhone/iPod over, and wants to use it with teh Intarwebs, go ahead and set it up and give them the passphrase and IP assignment, but make sure you destroy your friend before they leave.

You can't allow any chance of your uber-obscurity leaking outside, right? Eventually, you'll eliminate all of your friends, but that has the nice benefit of eliminating the potential leaks.

Naw, better to keep it simple. Don't run as root/admin. Set an unusual password (something other than your SO or child's name is adequate). Set a different, unusual, and lengthy, WAP passphrase. Use the strongest encryption you can with the devices on your network (AES, AES / TKIP, or just TKIP, in order of preference).

Done.

MAC filtering? Disabling DHCP? IP address range hide and seek?

Bullshit. All that does is make it harder for you and the people you trust to use the network. And if I, the creepy dude in the van across the street, get to a point where any of those stupid tricks will start to matter, they won't make any difference at all. If I'm clever enough to get past WAP, then I'm clever enough to clone a MAC address while sniffing past the rest of your security-through-obscurity features.

[And what's all that talk about serial ports? Are we still in 2008, or did we just jump back 10 years?]

Pharming???

[jez9999]

Will these terrible names, which apparently attempt to draw an analogy between a computer-related misdemeanor and some agricultural pastime, never end? I'm just waiting for some guy from F-Secure to call porn 'phucking'.

Re:Let me guess... L: "admin" P: "admin"

[Gideon+Fubar]

There are 3 major combinations of default username/password comnbinations that cover the vast majority of home routers. They are U:admin P:admin, U:admin P:password and U:admin P: (that's right.. NO password.) This is true of Linksys, Dlink, Netgear, etc. With a bit of searching, you can even find this out from their very own websites.

Let me explain

[Pasajero]

I live in Mexico, and yes, the bank name is Banamex (owned by Citibank) and this is how the hack works:

The most prominent ISP in Mexico (Telmex) uses 2wire gateway modems, most of them wireless enabled. Security is turned on by default using serial numbers so no one from outside can login "easily".

However, there is no default security from the inside, so the gusanito.com postcard contains a malicious flash program that sends a special URL to the modem that adds a DNS entry to its local name resolution table pointing www.banamex.com to a pharming site.

Next time you open IE or any other browser and open www.banamex.com you'll get redirected to the other site.

This easily solved putting a user password on the modem configuration, but not all people care to do that.

Re:Let me explain

[nesmex]

Sorry to say this but the attack overrides the modem's password, the attack from Gusanito and similar attacks (ie El Universal) probes with different common 2WIRE router addresses to get to the MDC. Fortunately it is not that elaborated... This attack was reported during late last year. This exploits a vulnerability in 2WIRE modems, as documented in US-CERT http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389
Trend Micro has a more recent report on a variation of this attack http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/
The UNAM-CERT, also has the "Gusanito" exploit documented (spanish only) at http://www.seguridad.unam.mx/doc/?ap=articulo&id=196
The attack overrides the modem's password...

Look for the "https:"

[steveha]

As I understand it, even with this so-called pharming technique, the bad guys still cannot correctly spoof an "https:" page... at least not without compromising the private key used to secure the SSL connection, or compromising the private key of the certificate signing authority.

When I explain to people how to use the Web, I always tell them to look for the security indicators before doing anything involving money.

P.S. I wouldn't be surprised if the bad guys here added Javascript code to their fake bank site, to rewrite the address bar of the web browser to show the "https:". This is why I prefer to do all my online banking with Javascript disabled; thank you, NoScript.

steveha