A very simple solution (for home users at least, although could be implemented to commercial/enterprise as well) to this dilemma would be to block access/pop-up warning message for all traffic from the Internal LAN IPs to Internal LAN based webpages (port 80,81,8080 and 443)... i.e. MOST modems serve their mgmt page via http://198.168.100.1 Block all access to that IP, end of story :)
Aras "Russ" Memisyazici [EMAIL PROTECTED] Outreach Information Services Virginia Polytechnic Institute & State University (Virginia Tech) -----Original Message----- From: "Dennis" <[EMAIL PROTECTED]> To: "Mark Senior" <[EMAIL PROTECTED]> Cc: "Zulfikar Ramzan" <[EMAIL PROTECTED]>; "[email protected]" <[email protected]> Sent: 2/16/07 4:53 PM Subject: Re: Drive-by Pharming Threat I also have one of these 2Wire modems. In my endeavors I've noticed that if the admin password is lost, it can be recovered by a challenge/response code. Has anyone ever figured out this algorithm? On 2/16/07, Mark Senior <[EMAIL PROTECTED]> wrote: > My ISP issues 2Wire modem/router/WAP boxes now. I found it very > interesting to explore what (few) changes require a password and what > ones do not. > > In particular, packet filter and port forwarding changes require no > password at all - so changing your password on the router wouldn't do > you any good against driveby changes to those settings. I'll have to > look when I get home whether DNS server changes would. > > A bit OT, but there's also the fact that since these devices are > considered ISP equipment - they include the modem that connects to > telco lines - the ISP has one, global, password for all home routers > on their network, and can admin them from the 'outside' of your home > network. Given big telco security standards, not a very reassuring > thought. > > Regards > Mark > > On 2/15/07, Zulfikar Ramzan wrote: > > We discovered a new potential threat that we term "Drive-by Pharming". An > > attacker can create a web page containing a simple piece of malicious > > JavaScript code. When the page is viewed, the code makes a login attempt > > into the user's home broadband router and attempts to change its DNS server > > settings (e.g., to point the user to an attacker-controlled DNS server). > > Once the user's machine receives the updated DNS settings from the router > > (e.g., after the machine is rebooted) future DNS request are made to and > > resolved by the attacker's DNS server. > > > > The main condition for the attack to be successful is that the attacker can > > guess the router password (which can be very easy to do since these home > > routers come with a default password that is uniform, well known, and often > > never changed). Note that the attack does not require the user to download > > any malicious software - simply viewing a web page with the malicious > > JavaScript code is enough. > > > > We've written proof of concept code that can successfully carry out the > > steps of the attack on Linksys, D-Link, and NETGEAR home routers. If users > > change their home broadband router passwords to something difficult for an > > attacker to guess, they are safe from this threat. > > > > Additional details on the attack can be found at: > > http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html > > > > Thanks, > > > > Zulfikar Ramzan > > > > > > ________________________________________ > > > > Zulfikar Ramzan > > Sr. Principal Security Researcher > > Advanced Threat Research > > Symantec Corporation > > www.symantec.com > > ----------------------------------------------------- > > ----------------------------------------------------- > > This message (including any attachments) is intended only for the use of > > the individual or entity to which it is addressed and may contain > > information that is non-public, proprietary, privileged, confidential, and > > exempt from disclosure under applicable law or may constitute as attorney > > work product. If you are not the intended recipient, you are hereby > > notified that any use, dissemination, distribution, or copying of this > > communication is strictly prohibited. If you have received this > > communication in error, notify us immediately by telephone and (i) destroy > > this message if a facsimile or (ii) delete this message immediately if this > > is an electronic communication. Thank you. > > > > > > >
