subscribe to our feed.Symantec has released an interesting research paper. The paper details a javascript (and Java applet) exploit that can change your broadband router settings. Now, this script would execute when visiting a website. You need not click “OK” for the script to run. Obviously, you would need to have javascript enabled for this to work. The crazy thing about the exploit, however, is that it would be completely transparent to the end user. They wouldn’t know that they had been exploited until it was too late. But enough with the doom and gloom, let’s get into the details.
…
The exploiters want to get at your router DNS settings. DNS stands for domain name system. DNS servers help translate the friendly website names we type into the address bar of a browser, like www.ebay.com, into numbers, like 66.135.192.87. Now, what would happen if we actually couldn’t trust a DNS server? Suppose that the DNS server is actually a malicious one, one that serves up good numbers except for something like ebay. Let’s just suppose that someone had made a fake ebay site that looked exactly like the real thing. But it’s sole purpose was to grab usernames/passwords. Let’s take it a step further. Let’s say that someone made multiple fake sites around banking, investing, auctioning, etc. Now, they can grab multiple credentials.
Symantec’s research is a scary eye opener for a number of reasons. One, despite numerous warnings, a lot of people still keep their default router passwords in place. It makes management easier, especially since you go into your router seldom. But it also exploits something in a transparent fashion. Users go to a website and a javascript silently reprograms the router’s DNS settings. The user hasn’t a clue. Now, when the user goes to their banking site, they are actually being steered to a fake, but realistic looking, banking site. The exploiter would, in essence, own your router. They could push firmware updates to it. This could allow persistent changes to the router. It could also broadcast things outward from the WAN connection.
Cisco has confirmed that this is an issue. You can see their list of affected routers here. But other routers are vulnerable as well. They use a DLink router in their examples in the paper. The best course of action for you to take is to change your router password. This stops this type of exploit in its tracks.
If you would like to make a comment, please fill out the form below.
Pharming is the next generation of phishing.Its really good to know more about it.I wrote an article few days back
Pharming the evolution of phishing
Do take a look