<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.5730.11" name=GENERATOR></HEAD>
<BODY>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Georgia"><SPAN
class=078480017-15022007><FONT face=Arial>Everyone,</FONT></SPAN></SPAN></P>
<P class=MsoNormal><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: Georgia"><SPAN
class=078480017-15022007><FONT face=Arial>I'm posting this on behalf of Zulfikar
Ramzan who isn't subscribed to this list.</FONT></SPAN></SPAN></P>
<P class=MsoNormal><FONT size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Georgia"><FONT face=Arial>We discovered a
new potential threat that we term “Drive-by Pharming”. An attacker can
create a web page containing a simple piece of malicious JavaScript code.
When the page is viewed, the code makes a login attempt into the user’s home
broadband router and attempts to change its DNS server settings (e.g., to point
the user to an attacker-controlled DNS server). Once the user’s
machine receives the updated DNS settings from the router (e.g., after the
machine is rebooted) future DNS request are made to and resolved by the
attacker’s DNS server. <?xml:namespace prefix = o ns =
"urn:schemas-microsoft-com:office:office" /><o:p></o:p></FONT></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Georgia"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Georgia"><FONT face=Arial>The main
condition for the attack to be successful is that the attacker can guess the
router password (which can be very easy to do since these home routers come with
a default password that is uniform, well known, and often never changed).
Note that the attack does not require the user to download any malicious
software – simply viewing a web page with the malicious JavaScript code is
enough. <o:p></o:p></FONT></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Georgia"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Georgia"><FONT face=Arial>We’ve written
proof of concept code that can successfully carry out the steps of the attack on
Linksys, D-Link, and NETGEAR home routers. If users change their home
broadband router passwords to something difficult for an attacker to guess, they
are safe from this threat. <o:p></o:p></FONT></SPAN></FONT></P>
<P class=MsoNormal><FONT face=Arial size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Georgia"><o:p></o:p></SPAN></FONT></P>
<P class=MsoNormal><FONT size=2><SPAN
style="FONT-SIZE: 10pt; FONT-FAMILY: Georgia"><FONT face=Arial>Additional
details on the attack can be found at: </FONT><A
title=http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
href="http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html"><FONT
face=Arial
color=#800080>http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html</FONT></A><FONT
face=Arial>. <o:p></o:p></FONT></SPAN></FONT></P>
<DIV><FONT face=Arial size=2><SPAN
class=078480017-15022007>Oliver</SPAN></FONT></DIV>
<DIV><FONT face=Arial size=2><SPAN
class=078480017-15022007></SPAN></FONT> </DIV></BODY></HTML>