Endpoint Protection

Drive-By Pharming: How Clicking on a Link Can Cost You Dearly 

02-15-2007 03:00 AM

I wanted to talk about a recent new attack, called Drive-ByPharming, which I co-developed with Sid Stamm and Markus Jakobsson ofthe Indiana University School of Informatics. It allows attackers tocreate a Web page that, simply when viewed, results insubstantive configuration changes to your home broadband router orwireless access point. As a result, attackers gain complete controlover the conduit by which you surf the Web, allowing them to direct youto sites they designed (no matter what Web address you direct your Webbrowser to).

I believe this attack has serious widespread implications andaffects many millions of users worldwide. Fortunately, this attack iseasy to defend against as well. In this blog entry, I’ll describe theattack, mention some prior related work, and then go over bestpractices.

How the attack works:

I’ll start with a high-level real-world analogy of this attack.Imagine that whenever you wanted to go to your bank, you picked up yourphone directory, looked up the bank’s address, and then went there. Ourattack shows a simple way that attackers can replace the phone books inyour house with one that they created. Now, when you pick up that roguephone book to get your bank’s address, it’ll actually give you thewrong address. At this wrong address, the attackers will have set up afake bank that looks just like your bank. When you do business withthis fake bank, you’ll give up all your sensitive bank accountinformation. However, you’ll never realize that you were at a fake banksince you trusted the address that you got from what you thought wasyour legitimate telephone book.

Now, let’s go into a slightly more technical description. Theattackers create a Web page that includes malicious JavaScript code.When the Web page is viewed, this code, running in the context of yourWeb browser, uses a technique known as ‘Cross Site Request Forgery’ andlogs into your local home broadband router. Now, most such routersrequire a password for logging in. However, most people never changethis password from the original factory default. Upon successful login,the JavaScript code changes the router’s settings. One simple, butdevastating, change is to the user’s DNS server settings.

For those of you who are not familiar, the Domain Name System (orDNS) is the equivalent of the directory assistance service (or even agiant phone book) for the Internet. Every computer that’s directlyaccessible on the Internet has a unique Internet Protocol (IP) address.For example, something like 129.79.78.8. To access your bank’s Website, your computer needs to know the IP address. Of course, it’s hardfor us to remember these numerical addresses. Instead, we remember asimpler name like, www.my-bank.com. The Domain Name System actually hasan entry (called a record) that associates www.my-bank.com with the IPaddress 69.8.217.90. In order to access this entry, we need to go to aDNS server. There are many such servers on the Internet. Normally, yourInternet Service Provider (or corporate IT staff for enterprises) tellsyou what DNS server to use.

In our attack, the attackers can actually modify the settings onyour home wireless router to dictate which DNS server you use. Evenworse, they can get you to use a server that they created themselves.This server could have bogus records that tell your computer to go tothe wrong IP address when you type in www.my-bank.com. The attackerscan set up a fake Web site that looks just like your bank. Then, theycan associate this fake Web site’s IP address with the addresswww.my-bank.com. Now whenever you think you’re going to your bank’s Website, you’ll actually wind up at the attackers' site. You may neverknow the difference. In the meantime, the attackers have stolen yourbank account information.

As you can imagine, such an attack is potentially quite devastating.The attack can impact a large number of people for the followingreasons:

(1) All you have to do to become a victim is simply visit the Webpage that hosts this malicious code. You don’t have to click OK on anydialogue boxes or accidentally download and install malicious software.Simply viewing the page in question is enough to cause the necessarydamage.

(2) Many people fail to change the default password on their homebroadband routers. In fact, some informal studies show that 50 percentof people fall into this category [1].

(3) Many people enable the execution of JavaScript code on their Webbrowser. Formal studies show that 95 percent of Internet users fallinto this category [2]. In fact, nowadays almost all popular Web sitesuse JavaScript, so it’s necessary to have it functioning properly.

Prior related work:

Jeremiah Grossman and T.C. Niedzialkowski gave a presentation atBlackhat on using JavaScript for profiling and attacking an internalnetwork from the Web. While, I missed Blackhat, I had the opportunityto hear Jeremiah give a talk about this work at an Open Web ApplicationSecurity Project (OWASP) meeting shortly after BlackHat. (As an aside,Jeremiah is an excellent speaker, and it’s highly worth going to anypresentation he gives – especially about Web application security!)

After being inspired by Jeremiah’s talk, I mentioned it to MarkusJakobsson, a professor at Indiana University. Markus, together withother researchers and students, had previously done some nice work onattacking home wireless routers (though the techniques involvedattackers who were in close physical proximity) [1]. It occurred to methat by directly using the exact Grossman- Niedzialkowski techniques,one could lift the need for physical proximity when attacking thesewireless routers.

In principal this attack is quite simple; however the implicationsare far reaching. I think anyone sufficiently familiar with theGrossman-Niedzialkowski work from BlackHat could put the pieces of theDrive-By Pharming attack together. Because of the attack’s impact, wewanted to describe the underlying details and suggest best practices.

Best practices for defense:

The simplest thing you can do to protect yourself is change thedefault password on your home wireless router. A quick Google searchyielded the following pages for changing this password on three of themore popular home wireless routers:

D-Link

Linksys

NETGEAR

Also, in general, I’d recommend staying away from Web sites thataren’t known to be at least reasonably trustworthy. (And definitelydon’t blindly click on links in emails – even if the link came fromsomeone you know. Remember, simply clicking on a link is all it takesfor this attack to do its damage.)

Drive-By Pharming illustrated:

A Flash-based animation of the Drive-By Pharming attack can be viewed below:


Further reading:

Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson. "Drive-By Pharming."
http://www.symantec.com/avcenter/reference/
Driveby_Pharming.pdf

Additional references:

[1] Alex Tsow, Markus Jakobsson, Liu Yang and Susanne Wetzel, "Warkitting: the Drive-by
Subversion of Wireless Home Routers." The Journal of Digital Forensic Practice, 2006.
http://www.indiana.edu/~phishing/papers/warkit.pdf

[2] TheCounter.com Statistics, Jupitermedia Corporation. November 2006.
http://www.thecounter.com/stats/2006/November/javas.php

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.