原始链接：http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html

I wanted to talk about a recent new attack, called Drive-By Pharming, which I co-developed with Sid Stamm and Markus Jakobsson of the Indiana University School of Informatics. It allows attackers to create a Web page that, simply when viewed, results in substantive configuration changes to your home broadband router or wireless access point. As a result, attackers gain complete control over the conduit by which you surf the Web, allowing them to direct you to sites they designed (no matter what Web address you direct your Web browser to).

I believe this attack has serious widespread implications and affects many millions of users worldwide. Fortunately, this attack is easy to defend against as well. In this blog entry, I’ll describe the attack, mention some prior related work, and then go over best practices.

How the attack works:

I’ll start with a high-level real-world analogy of this attack. Imagine that whenever you wanted to go to your bank, you picked up your phone directory, looked up the bank’s address, and then went there. Our attack shows a simple way that attackers can replace the phone books in your house with one that they created. Now, when you pick up that rogue phone book to get your bank’s address, it’ll actually give you the wrong address. At this wrong address, the attackers will have set up a fake bank that looks just like your bank. When you do business with this fake bank, you’ll give up all your sensitive bank account information. However, you’ll never realize that you were at a fake bank since you trusted the address that you got from what you thought was your legitimate telephone book.

Now, let’s go into a slightly more technical description. The attackers create a Web page that includes malicious JavaScript code. When the Web page is viewed, this code, running in the context of your Web browser, uses a technique known as ‘Cross Site Request Forgery’ and logs into your local home broadband router. Now, most such routers require a password for logging in. However, most people never change this password from the original factory default. Upon successful login, the JavaScript code changes the router’s settings. One simple, but devastating, change is to the user’s DNS server settings.

For those of you who are not familiar, the Domain Name System (or DNS) is the equivalent of the directory assistance service (or even a giant phone book) for the Internet. Every computer that’s directly accessible on the Internet has a unique Internet Protocol (IP) address. For example, something like 129.79.78.8. To access your bank’s Web site, your computer needs to know the IP address. Of course, it’s hard for us to remember these numerical addresses. Instead, we remember a simpler name like, www.my-bank.com. The Domain Name System actually has an entry (called a record) that associates www.my-bank.com with the IP address 69.8.217.90. In order to access this entry, we need to go to a DNS server. There are many such servers on the Internet. Normally, your Internet Service Provider (or corporate IT staff for enterprises) tells you what DNS server to use.

In our attack, the attackers can actually modify the settings on your home wireless router to dictate which DNS server you use. Even worse, they can get you to use a server that they created themselves. This server could have bogus records that tell your computer to go to the wrong IP address when you type in www.my-bank.com. The attackers can set up a fake Web site that looks just like your bank. Then, they can associate this fake Web site’s IP address with the address www.my-bank.com. Now whenever you think you’re going to your bank’s Web site, you’ll actually wind up at the attackers' site. You may never know the difference. In the meantime, the attackers have stolen your bank account information.

As you can imagine, such an attack is potentially quite devastating. The attack can impact a large number of people for the following reasons:

(1) All you have to do to become a victim is simply visit the Web page that hosts this malicious code. You don’t have to click OK on any dialogue boxes or accidentally download and install malicious software. Simply viewing the page in question is enough to cause the necessary damage.

(2) Many people fail to change the default password on their home broadband routers. In fact, some informal studies show that 50 percent of people fall into this category [1].

(3) Many people enable the execution of JavaScript code on their Web browser. Formal studies show that 95 percent of Internet users fall into this category [2]. In fact, nowadays almost all popular Web sites use JavaScript, so it’s necessary to have it functioning properly.

Prior related work:

Jeremiah Grossman and T.C. Niedzialkowski gave a presentation at Blackhat on using JavaScript for profiling and attacking an internal network from the Web. While, I missed Blackhat, I had the opportunity to hear Jeremiah give a talk about this work at an Open Web Application Security Project (OWASP) meeting shortly after BlackHat. (As an aside, Jeremiah is an excellent speaker, and it’s highly worth going to any presentation he gives – especially about Web application security!)

After being inspired by Jeremiah’s talk, I mentioned it to Markus Jakobsson, a professor at Indiana University. Markus, together with other researchers and students, had previously done some nice work on attacking home wireless routers (though the techniques involved attackers who were in close physical proximity) [1]. It occurred to me that by directly using the exact Grossman- Niedzialkowski techniques, one could lift the need for physical proximity when attacking these wireless routers.

In principal this attack is quite simple; however the implications are far reaching. I think anyone sufficiently familiar with the Grossman-Niedzialkowski work from BlackHat could put the pieces of the Drive-By Pharming attack together. Because of the attack’s impact, we wanted to describe the underlying details and suggest best practices.

Best practices for defense:

The simplest thing you can do to protect yourself is change the default password on your home wireless router. A quick Google search yielded the following pages for changing this password on three of the more popular home wireless routers:

• D-Link

• Linksys

• NETGEAR

Also, in general, I’d recommend staying away from Web sites that aren’t known to be at least reasonably trustworthy. (And definitely don’t blindly click on links in emails – even if the link came from someone you know. Remember, simply clicking on a link is all it takes for this attack to do its damage.)

Drive-By Pharming illustrated:

A Flash-based animation of the Drive-By Pharming attack can be viewed below:
Further reading:

Sid Stamm, Zulfikar Ramzan, and Markus Jakobsson. "Drive-By Pharming."
http://www.symantec.com/avcenter/reference/
Driveby_Pharming.pdf

Additional references:

[1] Alex Tsow, Markus Jakobsson, Liu Yang and Susanne Wetzel, "Warkitting: the Drive-by
Subversion of Wireless Home Routers." The Journal of Digital Forensic Practice, 2006.
http://www.indiana.edu/~phishing/papers/warkit.pdf

[2] TheCounter.com Statistics, Jupitermedia Corporation. November 2006.
http://www.thecounter.com/stats/2006/November/javas.php

英文不好，看不懂

[s:34] DNS欺骗，钓鱼？英语不好。这文章有啥转载意义？

[s:58]
============
原始链接：http://www.symantec.com/enterprise/security_response/weblog/2007/02/driveby_pharming_how_clicking_1.html
我想谈论一次最近新攻击, 叫驾驶由Pharming, 我共同发展与Sid Stamm 和Markus Jakobsson 信息学印第安纳大学学校。它允许攻击者创造, 简单地当观看, 导致对您的家庭宽频路由器或无线存取点的实质的配置变化的网页。结果, 他们设计的攻击者取得对您冲浪网的输送管道的完全控制, 给他们指挥您对站点(不管网地址您指挥您的浏览器对) 。 我相信这次攻击有严肃的普遍涵义和影响许多成千上万用户全世界。幸运地, 这次攻击容易保卫反对。在这个blog 词条, 我将描述攻击, 提及一些预先的相关工作, 和然后去在最佳的实践。 怎么攻击运作: 我将开始以这次攻击高级真实世界的比喻。想象每当您想去您的银行, 您拾起您的电话目录, 查找银行的地址, 并且那里然后去。我们的攻击表示一个简单的方式, 攻击者可能用一个替换电话簿在您的房子里他们创造。现在, 当您整理凶恶电话簿得到您的银行的地址, 它实际上将给您错误地址。在这个错误地址, 攻击者设定了看起来象您的银行的一家假银行。当您做生意与这家假银行, 您将放弃所有您的敏感银行帐户信息。但是, 您从未意识到, 您是在一家假银行因为您信任您得到从的地址什么您想法是您合法的电话簿。 现在, 放弃了入一个轻微地更加技术的描述。攻击者创造包括恶意Java 语言代码的一个网页。当网页被观看, 这个代码, 运行就您的浏览器、用途技术以` 十字架站点请求伪造著名' 和日志状况入您的地方家庭宽频路由器。现在, 多数这样路由器要求一个密码为登录。但是, 多数人民从未改变这个密码从原始的工厂缺省。在成功的注册, Java 语言代码改变路由器的设置。你简单, 但摧残, 变动是对用户的DNS 服务器设置。 为那些您不是熟悉, 域名系统(或DNS) 是查号台服务(甚至一个大电话簿的) 等值为互联网。直接地是容易接近的在互联网的每台计算机有一个独特的互联网协议(IP) 地址。例如, 某事喜欢129.79.78.8 。访问您的银行的网站, 您的计算机需要知道IP 地址。当然, 它是困难为我们记住这些数字地址。反而, 我们记住一个简名象, www.my-bank.com 。域名系统实际上有一个词条(称纪录) 那同事www.my-bank.com 以IP 地址69.8.217.90 。为了访问这个词条, 我们需要去DNS 服务器。有许多这样服务器在互联网。通常, 您网络服务提供户(或公司它职员为企业) 告诉您什么DNS 服务器使用。 在我们的攻击, 攻击者可能实际上修改设置在您的家庭无线路由器口授哪台DNS 服务器您使用。更坏, 他们能使您使用服务器, 他们创造了自己。这台服务器能有告诉您的计算机去错误IP 地址的伪造纪录当您键入www.my-bank.com 。攻击者能设定看起来象您的银行的一个假网站。然后, 他们能同这个假网站的IP 地址联系在一起地址www.my-bank.com 。现在每当您认为您去您的银行的网站, 您实际上将结束在attackers' 站点。您可以从未知道区别。同时,攻击者窃取了您的银行帐户信息。 如同您能想象, 这样攻击是潜在地相当毁灭的。攻击可能冲击很大数量的人民为以下原因: (1) 所有您必须做成为受害者简单地是参观主持这个恶意代码的网页。您不必须点击好在任何对话箱或偶然地下载和安装恶意软件。简单地观看页在考虑中是足够造成必要的损伤。 (2) 许多人不改变缺省密码在他们的家庭宽频路由器。实际上, 一些不拘形式的研究表示, 人的百分之50 归入这个类别[ 1 ] 。 (3) 许多人使能Java 语言代码的施行在他们的浏览器。正式研究表示, 互联网用户的百分之95 归入这个类别[ 2 ] 。实际上, 几乎所有普遍的网站现今使用Java 语言, 因此它是必要有它适当地作用。 预先相关的工作: Jeremiah Grossman 和T.C. Niedzialkowski 给了一个介绍在Blackhat 在使用Java 语言为描出和攻击一个内部网络从网。当, 我想念Blackhat, 我需要机会听见Jeremiah 给谈论这工作在一次开放网应用安全项目(OWASP) 会议上在BlackHat 之后。(因为旁, Jeremiah 是一位优秀报告人, 并且它高度是值得去他给- 的所有介绍特别是关于网应用安全!) 在由Jeremiah 的谈话以后被启发, 我提及了它对Markus Jakobsson, 一位教授在印第安纳大学。Markus, 与其它研究员和学生一起, 早先完成了在攻击的家庭无线路由器的一些好的工作(虽然是在接近的物理接近度) 的技术包含的攻击者[ 1 ] 。它发生了对我, 由直接地使用确切的Grossman- Niedzialkowski 技术, 你能举对物理接近度的需要当攻击这些无线路由器。 在校长这次攻击是相当简单; 但是涵义是广远的。我认为任何人充足地熟悉Grossman-Niedzialkowski 工作从BlackHat 能汇集片断驾驶由Pharming 攻击。由于攻击的冲击, 我们想描述部下的细节和建议最佳的实践。 最佳的实践为防御: 您能做保护自己的最简单的事是变动缺省密码在您的家庭无线路由器。一次快的Google 查寻产生了以下页为改变这个密码在三更加普遍的家庭无线路由器: ? D 链接 ? Linksys ? NETGEAR 并且, 总之, 我会推荐停留从不为人所知至少合理地信得过的网站。(和盲目确定地不要点击链接在电子邮件- 既使链接来自某人您知道。记住, 简单地点击在它采取使这次攻击造成它的损害。) 的链接是所有 驾驶由Pharming 被说明: 基于闪光的动画驾驶由Pharming 攻击可能被观看如下: 进一步读书: Sid Stamm, Zulfikar Ramzan, 和Markus Jakobsson 。"Drive 由Pharming." http://www.symantec.com/avcenter/reference/ Driveby_Pharming.pdf 另外的参考: [ 1 ] 亚历克斯・Tsow, Markus Jakobsson, 刘・杨和SusanneWetzel, "Warkitting: 驾车无线家庭Routers." 颠覆; 数字式法庭实践2006 学报年。
http://www.indiana.edu/~phishing/papers/warkit.pdf 文章地址
http://www.thecounter.com/stats/2006/November/javas.php  2006年11月

也不知道对不对了...嘿嘿

哇.我用工具翻译完,才看楼下.哎..

幸好有翻译的

最好使用中文的，因为国人看的多呀。

大致意思是因为许多人的路由密码都是默认的，改变路由器的DNS服务器地址达到钓鱼，应该是这样吧，不过我的路由加有密码，呵呵。

工具翻译？太难看了！

有语法错误，但是还可以理解。但这样能实现吗？？

应该可以实现的.

不知道。翻译工具太烂，看不懂。