Symantec warns of router compromise

By Tom Espiner
Special to CNET News.com

2 comments

Related Stories: Secunia: CA backup product 'inherently insecure'
January 16, 2008; If you thought 'Security '07' was hairy, just wait
January 3, 2008; Year in review: Botnet gains, Web 2.0 pains
December 31, 2007; Symantec: Virtualization can ease data center woes
October 31, 2007; Symantec, Microsoft cooperate on security
October 23, 2007
Related Blogs: Two old-time tech companies ripe for picking?
News Blog
January 17, 2008; Symantec releases online cyber-security quiz
News - Gaming and Culture
January 8, 2008

Security company Symantec has warned of an attack involving the subversion of routers.

The security company said this was the first time it had seen such an attack "in the wild," although the concept had been discussed a year ago by Symantec researchers, according to a Symantec blog post.

In the attack, which targeted users of an undisclosed Mexican bank, the intended victims received a spam e-mail claiming they had received an e-card, directing them to gusanto.com, a Spanish-language e-card site. However, the e-mail also had embedded HTML image tags that contained an HTTP get-request to the router to change its Domain Name System settings, according to Symantec's U.K. manager of quality assurance, Thomas Parsons.

The HTTP get-request redirects traffic flowing over the router to a specific IP address when the user attempts to access six domain names that are banking-related. Symantec requested that ZDNet UK not publish the IP address.

The attack is made possible by a cross-site scripting vulnerability in routers made by broadband-equipment company 2Wire that was reported in August last year, according to Symantec. Parsons said this was "a simple hack" and advised small to medium-size businesses to change default security settings on routers and educate users about clicking on suspicious links.

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
Symantec Corp., e-card, 2Wire, router, XSS

Add a Comment (Log in or register)

No surprise

by alegr January 24, 2008 11:45 AM PST

GET request is used to change settings in a popular router design by certain company whose name starts with 'C' and ends with 't'. The sad thing is that the product managers were warned about that four years ago.
Any webpage can issue GET request to your router, with arbitrary arguments, that's it. Should have used POST.

Like this Reply to this comment

Need security, not POST
by magick_samurai January 25, 2008 9:16 AM PST: POST isn't secure enough either, tho it does provide a bit more than GET. If you viewed a site they could still post to the router with a form and javascript. The GET method simply allows the attack to be done without javascript, using an image tag or the like.

The basis of this attack, while using XSS, is really more of a CSRF attack (Cross site referrer forgery.)

The users who this affect are ones logged into the router without login out (most routers use .htaccess and don't support logging out without clearing private data.)
These authenticated users are used to send data and change settings. Simple referrer checking in the router's web-interface programming would eliminate most of these problems.; Like this

Latest tech news headlines

ESRB iPhone app arms video game buying parents
Posted in Geek Gestalt by Daniel Terdiman

December 1, 2009 11:57 AM PST
Fake CDC vaccine e-mail leads to malware
Posted in InSecurity Complex by Elinor Mills

December 1, 2009 11:57 AM PST
India blocks service to millions of handsets
Posted in News - Wireless by Tom Espiner

December 1, 2009 11:37 AM PST
See all headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets: Market news, charts, SEC filings, and more; Related quotes; Dow Jones Industrials (1.39%) 143.29 10,488.13; S&P 500 (1.36%) 14.85 1,110.48; NASDAQ (1.62%) 34.80 2,179.40; CNET TECH (1.50%) 23.63 1,598.51

Inside CNET News

Scroll Left Scroll Right

Business Tech
Sun takes big fall in server market
Sun Microsystems clocks lowest revenue and shipment among global top 5 server vendors for third quarter of 2009, says Gartner.
Gallery
Energy displays bring the smart grid home (photos)
Apple
Psystar said to have deal with Apple
Details are sketchy and there's no confirmation from Apple, but Psystar claims in a filing that a partial settlement has been reached in the copyright infringement case, according to reports.
Beyond Binary
Using tunes to tout Windows 7
Dubbed Section 7, Microsoft launches a site in conjunction with Live Nation that offers discount concert tickets and gear.
Video
A window into the Microsoft Store
Wireless
India blocks service to millions of handsets
Mobile phones without a valid identification number are being blocked in India as part of a government security drive.
Video
Google Chrome OS demonstration
Geek Gestalt
ESRB iPhone app arms video game buying parents
The ESRB has released an iPhone app that provides the ratings board's full summaries of more than 18,000 titles.
Crave
Coming soon: Recyclable mannequin robots
Osaka-based Eager Co. is developing corrugated cardboard mannequin robots for that can gracefully display clothing in retail displays.
Gallery
Digital cloud set to hover above 2012 Olympics (photos)
Dialed In
AT&T now has Voicemail to Text
AT&T's Voicemail to Text feature is powered by a company called Nuance Communications
Green Tech
Smart grid potential gated by broadband
The intersection of broadband and energy can lead to efficiency and technology innovation. What's needed is wider access, standards, and right regulations, say execs and officials at an FCC hearing.