Exploit Kit Delivers Pharming Attacks Against SOHO Routers

msm1267 writes: For the first time, DNS redirection attacks against small office and home office routers are being delivered via exploit kits. French security researcher Kafeine said an exploit kit has been finding success in driving traffic from compromised routers to the attackers' infrastructure. The risk to users is substantial, he said, ranging from financial loss, to click-fraud, man-in-the-middle attacks and phishing.

Then turn them off

Quick, everyone turn off their routers! It would probably improve a lot of the Internet anyway. Just think, no more reading dumb comments.

Re: Then turn them off

"Just think, no more reading dumb comments."

I'm feeling an overwhelming irony here...

UNIX Only

This is UNIX Only.

Re:UNIX Only

[OhSoLaMeow]

This is UNIX Only.

I know this.

Know Thy DNS IP's!

[hamsterz1]

This makes a good case for knowing as much as possible about your router/modem's settings. Also I go to "grc.com" and use the "shields up" page to test my router's port settings. I also like to use "Open DNS" for my DNS servers. Even the paranoid are right sometimes. :)

Re:Know Thy DNS IP's!

[WD]

That's nice, but nothing that you describe helps protect against the vulnerability described.

Re:Know Thy DNS IP's!

[hamsterz1]

This makes a good case for knowing as much as possible about your router/modem's settings. Also I go to "grc.com" and use the "shields up" page to test my router's port settings. I also like to use "Open DNS" for my DNS servers. Even the paranoid are right sometimes. :)

PS Open DNS allows you to set security settings on your own dashboard page, and it's FREE for home users.

Re:Know Thy DNS IP's!

[hamsterz1]

That's nice, but nothing that you describe helps protect against the vulnerability described.

Then what would protect against this type of attack?. I tried to find new firmware for my router, but no updates available. Perhaps you can give me some advice, as I would like to learn something from this attack.

Re:Know Thy DNS IP's!

Block ads and javascript. No ads, and you are way less likely to get this. No javascript and it won't work at all. What really needs to be done is to have all browsers deny access to local addresses by any tab that loads anything from the Internet. Noscript has ABE, which does that, but I'm not aware of any browser that does it by default; plus, noscript doesn't help you as this seems to target chrome browsers as an easier vector.

Re:Know Thy DNS IP's!

[hamsterz1]

Block ads and javascript. No ads, and you are way less likely to get this. No javascript and it won't work at all. What really needs to be done is to have all browsers deny access to local addresses by any tab that loads anything from the Internet. Noscript has ABE, which does that, but I'm not aware of any browser that does it by default; plus, noscript doesn't help you as this seems to target chrome browsers as an easier vector.

Thanks for your advice I will take it to heart. :)

Re:Know Thy DNS IP's!

[WD]

Yeah, that helps for sure. The other option is to see if there's a 3rd-party firmware for the router. The firmwares that come with home equipment out of the box are often pretty poor. And are often abandoned after they are shipped. However, something like dd-wrt / openwrt / tomato is likely to be better supported.

Re:Know Thy DNS IP's!

[hamsterz1]

Yeah, that helps for sure. The other option is to see if there's a 3rd-party firmware for the router. The firmwares that come with home equipment out of the box are often pretty poor. And are often abandoned after they are shipped. However, something like dd-wrt / openwrt / tomato is likely to be better supported.

Thanks I will check all three, to see if my router is supported by any of the above.:)

Re:Know Thy DNS IP's!

Can anything be trusted? Don't expect the usual DNSes to take you to the real wikyleeks! What's the IP address for them?

Should hardware vendors face product liability suits when there is security negligence and a lack of a support path?

With reports of government agencies patching compiliers to put holes in everything built, and past reports of repositories being compromised, extra eyes verifying the wholesomeness of the FOSS offerings is prudent too.

If your router is already hosed, than new firmware you DL for it may be ...?? Are the tools readily available for mere mortals to compile firmware from source?

How about developer tools, source and docs for the firmware in Flash on our hard drives?
What's in there doesn't really matter now does it?
Who has had a look at that??

Will all who don't have hardware switches to disable unplanned flash writes in your systems please raise your legs high in the air now? (for your convenience, we've turned on your cams for this survey)

Re:Know Thy DNS IP's!

Are any of those actively maintained? AFAIK, dd-wrt and tomato haven't had a stable release in 5 years.

Don't buy a router unless it suports openwrt.

[anwyn]

This gives you the option to install free software that

• avoids deliberate company installed backdoors.
• has bugs fixed on a regular basis
• will work with IPV6
• can be modified for unusual configurations.

Re:Don't buy a router unless it suports openwrt.

This gives you the option to install free software that

• 
  avoids deliberate company installed backdoors.
• 
  has bugs fixed on a regular basis
• 
  will work with IPV6
• 
  can be modified for unusual configurations.

I like open source but let's not invent silly excuses. Open source software is not bug fixed on a regular basis. It is fixed only if the project is popular enough. And even then problems arise, see the Open SSH fiasco.

Re:Don't buy a router unless it suports openwrt.

[jbmartin6]

I expect parent was saying that OpenWRT has bugs fixed regularly, and was not making a claim for free software in general. Also, free software is not the same as open source software. :)

Re:Don't buy a router unless it suports openwrt.

This gives you the option to install free software that

• 
  avoids deliberate company installed backdoors.
• 
  has bugs fixed on a regular basis
• 
  will work with IPV6
• 
  can be modified for unusual configurations.

I like open source but let's not invent silly excuses. Open source software is not bug fixed on a regular basis. It is fixed only if the project is popular enough. And even then problems arise, see the Open SSH fiasco.

The modularity inherent in open source projects like OpenWRT actually offer VERY fast bugfix turnaround because the underlying packages are individually very popular and get updated and ported with ease. OpenWRT is a great example of Open Source done right.

Re:Don't buy a router unless it suports openwrt.

[bloodhawk]

Has openwrt become more usable? I was using it up until about 12-18months ago. The constant stability issues combined with arcane/not working configuration items and finding myself constantly downloading and testing various mods to get around problems just got to frustrating and time consuming to be worth it for me.

look out

Cue the flood of crap posts about hosts files for security in 5... 4... 3...

Re:look out

[bobbied]

What? Host file security? Not unless you fully disable NSLOOKUP, which is not that easy to do.... Why not just bypass all this and use DNS servers that you control and block DNS services for everything else? Much more secure than hosts files....

What's a good router with minimum feature set?

[ggraham412]

What's a good router to buy for home / small business that has a minimum feature set: uses DHCP, has some static IP addresses, has a LAN-only config web page, no stupid app store in my router, and no remote access, etc)?

I have a Linksys EA6900, and it makes me nervous because it is chok full of features that I don't use and I never plan on using. Each and every one is probably an exploit waiting to happen. Personally, I think if such routers are easily hacked because of poorly implemented features and are responsible for fraud, they should be considered fodder for product liability lawsuits.

Re:What's a good router with minimum feature set?

[oldguy62]

mikrotik 2011 -- nuf said

Re:What's a good router with minimum feature set?

[bobbied]

Anything that runs OpenWRT..... Even a consumer model... In fact, I think your existing hardware is supported, albeit it's not being claimed as "stable" yet.

Re:What's a good router with minimum feature set?

[Gravis+Zero]

mikrotik 2011 -- nuf said

mikrotik make routerboard routers, so that would be RB2011

The RB2011Ui is a low cost multi port device series. Designed for indoor use, and available in many different cases, with a multitude of options.

The RB2011 is powered by RouterOS, a fully featured routing operating system which has been continuously improved for fifteen years. Dynamic routing, hotspot, firewall, MPLS, VPN, advanced quality of service, load balancing and bonding, real-time configuration and monitoring - just a few of the vast number of features supported by RouterOS.

RouterBOARD 2011UiAS-2HnD has most features and interfaces from all our Wireless routers. It’s powered by the new Atheros 600MHz 74K MIPS network processor, has 128MB RAM, five Gigabit LAN ports, five Fast Ethernet LAN ports and SFP cage (SFP module not included!). Also, it features powerful 1000mW dual chain 2.4Ghz (2312-2732MHz depending on country regulations) 802.11bgn wireless AP, RJ45 serial port, microUSB port and RouterOS L5 license, as well as desktop case with power supply, two 4dBi Omni antennas and LCD panel- all this for only $129!

Tested and recommended to use with MikroTik SFP modules: S-85DLC05D, S-31DLC20D and S-35/53LC20D (not included)

RouterBOARD 2011UAS-2HnD-IN comes with desktop enclosure, LCD panel and power supply.

Wall mount kit (product code RBWMK) for network closet is available for purchase as an optional accessory.
The RB2011Ui also has passive PoE output capability on the last port (ETH10), this means you can power another device just by connecting it over regular Ethernet cable

seriously, minimum feature set? it has it's own fucking LCD!

Re:What's a good router with minimum feature set?

Fanless x86 PC combined with pfSense is the gold standard. You could even put it on a refurbished dual-core PC from yesteryear for $100-$150 (you'll usually need to buy 1-2 network cards, probably spend more on cards then on the PC). Low-power and fanless is more expensive, but less electricity to run.

Hosts compliment DNS/fix its issues... apk

See subject: & for less resources consumed + less "moving part" for breakdown OR exploitation:

APK Hosts File Engine 9.0++ SR-2 32/64-bit:

http://start64.com/index.php?o...

FREE & adds speed, security, + reliability, doing more with less, more efficiently vs. addons + fixes DNS' redirect security issues!

Local hosts files consume less power vs. DNS!

Especially vs. LOCALLY installed DNS servers (especially on a separate machine but less on same single system but still there) & they definitely consume more CPU cycles, RAM, & other forms of I/O needlessly + add complexity of setup + deny tables are MORE COMPLEX to write than simple hosts blocking entries are by far...

HOWEVER:

Hosts, when combined w/ a filtering REMOTE DNS, such as OpenDNS (patched vs. the Kaminsky redirect flaw, 99.999% of ISP DNS aren't + OpenDNS filters threats), hosts & remote DNS compliment one another like 'bread & butter' do!

Using my program shown below, one can place their favorite websites they spend MOST of their time online @ the TOP of a custom hosts file which caches into RAM (for me, that's like 95++% locally queried FASTER from hosts with no remote query-turnaround timelag OR risk of redirection poisonings), & resolves as FAST as possible (since hosts are the 1st thing queried by the IP stack by default).

BONUS for DNS admins: Hosts lighten up the request load, making the server work less, thus less chance for breakdown + power consumption too!

* :)

(By "yours truly"... Accept NO substitutes & ENJOY!)

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

APK

P.S.=> "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"

...apk

Re:Hosts compliment DNS/fix its issues... apk

So what I'm hearing is I should use OpenDNS.

Possible Caveat/"Catch-22" (AD).... apk

See subject: Using OpenDNS on a network that has a directory service like Active Directory CAN be "problematic" so, that advice is NOT for Network Admins in companies... It can mess up MX records, so that Exchange + Outlook will NOT function correctly, as 1 possible symptom of it.

APK

P.S.=> I've run into it before, but my previous advice is FINE for local systems @ home (not on a LAN or much less a corporate WAN etc. - et al), especially 'stand-alone' SINGLE systems MOST folks have vs. home networks on AD... apk

Combined w/ hosts? Yes (beware though)... apk

OpenDNS = fully patched vs. the Kaminsky redirect poisoning security flaw (99.999% of ISP DNS aren't)!

IMPORTANT - SEE SUBJECT:

See this 'downside' in CORPORATE settings http://it.slashdot.org/comment...

(See subject - ESPECIALLY when combined with a GOOD custom hosts file as was detailed IN DETAIL as to how/why http://it.slashdot.org/comment... )

FACT: Hosts save you from the remote query-turnaround resolution time resolved from the TOP of your custom hosts file that my program creates?

THAT rivals up to 3++ MILLION remoted indexed query speeds from DNS easily!

(Do the math via binary search pattern on 30 or so of your favorite sites placed @ the TOP of your custom hosts file you create (see below, from 10 reputable sources in the security community that produce that data), where YOU spend MOST of your time online at & see).

It works!

(& to BOTH speed you up in that AND secure you additionally vs. redirects by AVOIDING DNS totally (along with DNSBL's you don't like & DNS request logs tracking too as GOOD 'side-effects' thereof along with reliability + better speed gained in using hosts))

OpenDNS' "FREEBIE" model = fine, & no 'tracking cookies' etc./et al result either afaik...

APK

P.S.=> APK Hosts File Engine 9.0++ SR-2 32/64-bit: http://start64.com/index.php?o...

AND?

MalwareBytes' hpHosts Admin (MalwareBytes employee) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus http://www.av-test.org/en/news...

... apk

easy to say it in a different angle

DNS redirection is from changing the SSID to scoop up the connection and reroute it to a new system or network. It is a feature and people exploit it. It is for a pool of access to computers and if a router goes down then it transparently redirects to another one. I would just connect by MAC address. Maybe there is a security app in windows that protects against SSID redirection. It is popular in free wifi spots to act as a bridge and switch. :)