Drive-By Pharming

Wireless Internet Users’ Vulnerability Found
by: Jerry Liao

Most of my friends are now asking me the procedure on how to have Wireless Internet at home. And why not, the convenience it gives every member of the family plus the elimination of wires at home is enough reason for users to consider going wireless.

But aside from its advantages, one should also consider its disadvantages. And security is one of them. Recently, Symantec Corp., in conjunction with the Indiana University School of Informatics, has uncovered a significant new security threat. In this attack, dubbed “Drive-by Pharming”, consumers may fall victim to pharming by having their home broadband routers reconfigured by a malicious web site. According to a separate informal study conducted by Indiana University, up to 50 percent of home broadband users are susceptible to this attack.

Pharming is about redirecting a user to a spoofed Web site by ‘poisoning’ the local domain name server (DNS). Poisoning a DNS server involves changing the specific record for a domain, which results in sending the user to a Web site different from the one intended, unbeknownst to the user. This type of attack involves Trojan horse, worms or other technologies that attack the browser address bar, thus redirecting the user to a fraudulent Web site when the user types in a legitimate address.

Drive-by pharming is a new type of threat in which a user visits a malicious web site and an attacker is then able to change the DNS settings on a user’s broadband router or wireless access point. DNS servers are computers responsible for resolving Internet names into their real “Internet Protocol” or IP addresses, functioning as the “signposts” of the Internet. In order for two computers to connect to each other on the Internet, they need to know each other’s IP addresses. Drive-by pharming is made possible when a broadband router is not password protected or an attacker is able to guess the password for example, most routers come with a well-known default password that a user never changes.

Drive-by pharming involves the use of JavaScript to change the settings of a user’s home broadband router. Once the user clicks on a malicious link, malicious JavaScript code is used to change the DNS settings on the user’s router. From this point on, every time the user browses a web site, DNS resolution will be performed by the attacker. DNS resolution is the process by which one determines the Internet address corresponding to a web site’s common name. This gives the attacker complete discretion over which web sites the victim visits on the Internet. For example, the user may think they are visiting their online banking web site but in reality they have been redirected to the attacker’s site.

These fraudulent sites are almost exact replicas of the actual site so the user will likely not recognize the difference. Once the user is directed to the pharmer’s “bank” site, and enters their user name and password, the attacker can steal this information. The attacker will then be able to access the victim’s account on the “real” bank site and transfer funds, create new accounts, and write checks.

Symantec Security Response recommends that users employ a multi-layered protection strategy:

• Make sure their routers are uniquely password protected. Most routers come with a default administrator password that is easy for pharmers to guess.
• Use an Internet security solution that combines anti-virus, firewall, intrusion detection, and vulnerability protection
• Avoid clicking on links that seem suspicious for example, those sent to you in e-mail from someone you don’t recognize.

Existing security solutions on the market today cannot protect against this type of attack since drive-by-pharming targets the user’s router directly, and the existing solutions only protect the user’s computer system. Symantec’s Consumer Business Unit has been actively working on technologies to help address this problem using client-side technology. Symantec’s goal is to develop the means to automatically impede the attack by using a number of embedded techniques running on the client, embedded in the network stack, and in the browser.

So I guess the security firms are saying: Why have I not thought of that? It is good that we have discovered this kind of attack, but in general we are still doing a reactive solution and not proactively solving the problem.

My question is still the same: Why are the attackers always one step ahead of the security experts? Are the attackers smarter? This is the exact reason for the notion that security firms or experts are the ones supporting the attackers or virus writers. Until we reach a proactive state of securing computers, this belief will always exist. And who knows, the day will come that this belief will become a reality. The responsibility of proving us users wrong is in the shoulders of the security firms – and we are waiting for your actions.



Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: