January 24, 2008 9:10 AM PST

Symantec warns of router compromise

Security company Symantec has warned of an attack involving the subversion of routers.

The security company said this was the first time it had seen such an attack "in the wild," although the concept had been discussed a year ago by Symantec researchers, according to a Symantec blog post.

In the attack, which targeted users of an undisclosed Mexican bank, the intended victims received a spam e-mail claiming they had received an e-card, directing them to gusanto.com, a Spanish-language e-card site. However, the e-mail also had embedded HTML image tags that contained an HTTP get-request to the router to change its Domain Name System settings, according to Symantec's U.K. manager of quality assurance, Thomas Parsons.

The HTTP get-request redirects traffic flowing over the router to a specific IP address when the user attempts to access six domain names that are banking-related. Symantec requested that ZDNet UK not publish the IP address.

The attack is made possible by a cross-site scripting vulnerability in routers made by broadband-equipment company 2Wire that was reported in August last year, according to Symantec. Parsons said this was "a simple hack" and advised small to medium-size businesses to change default security settings on routers and educate users about clicking on suspicious links.

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
Symantec Corp., e-card, 2Wire, XSS, attack

2 comments

Join the conversation!
Add your comment
No surprise
GET request is used to change settings in a popular router design by certain company whose name starts with 'C' and ends with 't'. The sad thing is that the product managers were warned about that four years ago.
Any webpage can issue GET request to your router, with arbitrary arguments, that's it. Should have used POST.
Posted by alegr (1590 comments )
Reply Link Flag
Need security, not POST
POST isn't secure enough either, tho it does provide a bit more than GET. If you viewed a site they could still post to the router with a form and javascript. The GET method simply allows the attack to be done without javascript, using an image tag or the like.

The basis of this attack, while using XSS, is really more of a CSRF attack (Cross site referrer forgery.)

The users who this affect are ones logged into the router without login out (most routers use .htaccess and don't support logging out without clearing private data.)
These authenticated users are used to send data and change settings. Simple referrer checking in the router's web-interface programming would eliminate most of these problems.
Posted by magick_samurai (2 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.