Home routers in danger
In a blog entry, security specialist Symantec has issued a warning about attacks on routers with default passwords. Attackers may be able to reconfigure the DNS server entry to reroute a victim's Internet traffic over a malicious server. In this procedure, called "pharming", attackers might be able to get access to the user's sensitive data or inject malicious software onto home PCs. The antivirus vendor bases its conclusions on a scientific study entitled "Drive-by Pharming" and published last December by Sid Stamm and Markus Jakobsson from the University of Indiana and Symantec's Zulfikar Ramzan.
which enters the IP address 188.8.131.52 as the DNS server, which is in turn transmitted via DHCP to all clients in the local network. The clients then call DNS server 184.108.40.206 for the IP address for, for example, www.heise-security.co.uk, in which case they might then receive an answer like 220.127.116.11.
In addition to the obvious remedy of changing the router's default password, the researchers also recommend some general steps that can be taken to protect yourself against browser attacks from the internal network and against pharming. First, they recommend switching to digitally signed Java applets whenever possible and imposing strict restrictions on unsigned, "untrusted" applets for access to the network. In addition, they say that Internet providers can also help prevent pharming attacks by permitting DNS traffic only to their own name servers.
- Technical Report TR641: Drive-By Pharming, White Paper by Stamm, Ramzan and Jakobsson