Drive-by Pharming Threat
We discovered a new potential threat that we term "Drive-by Pharming". =
An attacker can create a web page containing a simple piece of malicious =
JavaScript code. When the page is viewed, the code makes a login =
attempt into the user's home broadband router and attempts to change its =
DNS server settings (e.g., to point the user to an attacker-controlled =
DNS server). Once the user's machine receives the updated DNS settings =
from the router (e.g., after the machine is rebooted) future DNS request =
are made to and resolved by the attacker's DNS server. =20
The main condition for the attack to be successful is that the attacker =
can guess the router password (which can be very easy to do since these =
home routers come with a default password that is uniform, well known, =
and often never changed). Note that the attack does not require the =
user to download any malicious software - simply viewing a web page with =
the malicious JavaScript code is enough. =20
We've written proof of concept code that can successfully carry out the =
steps of the attack on Linksys, D-Link, and NETGEAR home routers. If =
users change their home broadband router passwords to something =
difficult for an attacker to guess, they are safe from this threat.=20
Additional details on the attack can be found at: =
http://www.symantec.com/enterprise/security_response/weblog/2007/02/drive=
by_pharming_how_clicking_1.html =20
Thanks,
Zulfikar Ramzan
________________________________________
Zulfikar Ramzan
Sr. Principal Security Researcher
Advanced Threat Research
Symantec Corporation
www.symantec.com
-----------------------------------------------------
-----------------------------------------------------
This message (including any attachments) is intended only for the use of =
the individual or entity to which it is addressed and may contain =
information that is non-public, proprietary, privileged, confidential, =
and exempt from disclosure under applicable law or may constitute as =
attorney work product. If you are not the intended recipient, you are =
hereby notified that any use, dissemination, distribution, or copying of =
this communication is strictly prohibited. If you have received this =
communication in error, notify us immediately by telephone and (i) =
destroy this message if a facsimile or (ii) delete this message =
immediately if this is an electronic communication. Thank you.
=A0
討論串 (同標題文章)
完整討論串 (本文為第 1 之 8 篇):