Tuesday, January 22, 2008

Symantec reports sighting drive-by pharming in the wild

We hear a lot about phishing, but we don't see a whole lot written about pharming. According to a blog post on Symantec's blog by Zulfikar Ramzan, we might start seeing pharming mentioned a lot more than it has been in the past.

According to Zuftikar, the first instances of drive by pharming are being seen in the wild (on the Internet). This means a computer can be infected by merely viewing a e-mail, or website without clicking on a attachment, or link.

"Pharming (pronounced farming) is a Hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software," according to Wikipedia.

In Zuftikar's own words:

In a previous blog entry posted almost a year ago, I talked about the concept of a drive-by pharming attack. With this sort of attack, all a victim would have to do to be susceptible is simply view the attacker’s malicious HTML or JavaScript code, which could be placed on a Web page or embedded in an email. The attacker’s malicious code could change the DNS server settings on the victim’s home broadband router (whether or not it’s a wireless router). From then on, all future DNS requests would be resolved by the attacker’s DNS server, which meant that the attacker effectively could control the victim’s Internet connection.

Here is a further description of the activity seen in the wild, which reveals how deceptive (not to mention deadly) this type of pharming attack could be:

In one real-life variant that we observed, the attackers embedded the malicious code inside an email that claimed it had an e-card waiting for you at the Web site gusanito.com. Unfortunately the email also contained an HTML IMG tag that resulted in an HTTP GET request being made to a router (the make of which is a popular router model in Mexico). The GET request modified the router’s DNS settings so that the URL for a popular Mexico-based banking site (as well as other related domains) would be mapped to an attacker’s Web site.

Now, anyone who subsequently tried to go to this particular banking Web site (one of the largest banks in Mexico) using the same computer would be directed to the attacker’s site instead. Anyone who transacted with this rogue site would have their credentials stolen.
Please note that many users fail to change preset (factory) passwords, which leaves hardware vulnerable to being compromised. These preset passwords aren't very difficult for those with malicious intent to get their greedy paws on. I've even run into preset passwords on technical manuals posted on the Internet.

What is SCARY in this instance is that the specific router targeted in this attack didn't need a password to compromise the system.

Quite simply, the router didn't authenticate the request.

The malicious code which makes this attack possible can be inserted on the inside of a e-mail message, or directly off a web page. It isn't necessary to click on something to start the execution (pardon the pun) process.

Once this occurs, the hacker controls your router and can send you anywhere they want to.

Zuftikar offers a lot of sound recommendations on how to protect yourself from pharming attacks.

Note that he still recommends changing the factory preset passwords on any router you might own. The problem in the instance observed occurred with a particular type (brand) of router.

To view these recommendations, I recommend you read his interesting post, which can be seen, here.

No comments: