Video Screencast Help
Security Response

Drive-by Pharming in the Wild

Created: 22 Jan 2008 08:00:00 GMT • Updated: 23 Jan 2014 18:42:53 GMT
Zulfikar Ramzan's picture
0 0 Votes
Login to vote

In a previous blog entryposted almost a year ago, I talked about the concept of a drive-bypharming attack. With this sort of attack, all a victim would have todo to be susceptible is simply view the attacker’s malicious HTML orJavaScript code, which could be placed on a Web page or embedded in anemail. The attacker’s malicious code could change the DNS serversettings on the victim’s home broadband router (whether or not it’s awireless router). From then on, all future DNS requests would beresolved by the attacker’s DNS server, which meant that the attackereffectively could control the victim’s Internet connection.

At the time we described the attack concept, it was theoretical inthe sense that we had not seen an example of it “in the wild.” That’sno longer the case.

We recently saw instances of actual attackers attempting a basicversion of drive-by pharming. Given the simplicity of the attack andthe potential widespread implications, we always felt that it wouldsimply be a matter of time before it happened. The building blocks havebeen out there for some time and anyone with sufficient familiaritycould easily put them together. I’ve said before and I’d like toreiterate that the technical details of the attack are not nearly asnoteworthy as the potential widespread implications.

In one real-life variant that we observed, the attackers embeddedthe malicious code inside an email that claimed it had an e-cardwaiting for you at the Web site gusanito.com. Unfortunately the emailalso contained an HTML IMG tag that resulted in an HTTP GET requestbeing made to a router (the make of which is a popular router model inMexico). The GET request modified the router’s DNS settings so that theURL for a popular Mexico-based banking site (as well as other relateddomains) would be mapped to an attacker’s Web site.

Now, anyone who subsequently tried to go to this particular bankingWeb site (one of the largest banks in Mexico) using the same computerwould be directed to the attacker’s site instead. Anyone who transactedwith this rogue site would have their credentials stolen.

When we first talked about the drive-by pharming attack conceptnearly a year ago, we felt it would be fairly devastating and so wewanted to stay one step ahead of the curve and warn people before itbecame an issue. As it turned out, the first real-life instance ofdrive-by pharming that we just witnessed was even more devastating thanthe original concept we envisioned a while back, because thisparticular brand of router has a more substantial vulnerability thatmakes the attack far more potent.

In its original incarnation the drive-by pharming attack requiredthe attacker to correctly guess the administrative password on thevictim’s router. Since most people never change this password or, forthat matter, even know of its existence, this measure poses little orno impediment for the attacker. So, simply changing the defaultpassword to one that is difficult to guess would have sufficed inprotecting you. In the case of these routers that’s not true. It turnsout that on this particular router the attacker does not even need totry guessing the password!

Now that the first instances of the attack have been observed, Iexpect there to be others. So, I wanted to revisit some of the bestpractices for protecting yourself.

First, I would still recommend changing the default router passwordto something that’s more difficult to guess. For many other routermodels, doing so will protect you. Try to choose a more complicatedpassword as that provides you with an added margin of safety. Somepeople dislike complicated passwords because they fear that they willforget them. That’s a non-issue here because if you forget the passwordyou can always perform a hard reset on the router, which would restorethe default settings including the default password.

Also, in general I’d recommend that you reset the router anywaybefore changing your password. This step ensures that if you havebecome a victim already, you can start with a clean slate (as the DNSserver settings are also restored to the default during a hard reset).If you believe you’ve become a victim, as an added measure look overthe Web sites you’ve visited recently and ensure that you change anypasswords. If you’ve performed bank account or credit cardtransactions, notify the appropriate companies as well.

In general, I recommend that you practice good Internet "streetsmarts." Stick to Web sites that are trustworthy and use caution whenclicking on links people send you – even if they come from someone youtrust. Furthermore, be careful with emails too. In this case themalicious code payload was delivered via email – so if you don’trecognize the sender or if the email obviously seems like junk, justdelete it. Don’t let your curiosity get the better of you, since theconsequences could be devastating.

Finally, it’s a good idea to have a comprehensive Internet securitysoftware suite running on your computer that includes antivirus,antispyware, PC-level firewall, intrusion detection and prevention, aswell as anti-phishing capabilities. Such a suite provides strongdefense in-depth. Drive-by pharming attacks might be used as a lure tohave malicious software installed on your machine or compromise theintegrity of your online transactions. There are some excellenttechnologies out there for protecting you in such situations, and Istrongly advocate using them.

To my surprise it took well over a year from the time I firstnoticed that drive-by pharming could be a threat and the first instanceof it occurring in the wild. That’s despite the simplicity of theattack. Unfortunately, the presence of the attack is a clear sign thatattackers are continuing to evolve their methods and will go to no endsto achieve their aims.