Symantec warns of router compromise

By Tom Espiner
Special to CNET News.com

Print
E-mail
Share

Related Stories: Secunia: CA backup product 'inherently insecure'
January 16, 2008; If you thought 'Security '07' was hairy, just wait
January 3, 2008; Year in review: Botnet gains, Web 2.0 pains
December 31, 2007; Symantec: Virtualization can ease data center woes
October 31, 2007; Symantec, Microsoft cooperate on security
October 23, 2007
Related Blogs: Two old-time tech companies ripe for picking?
News Blog
January 17, 2008; Symantec releases online cyber-security quiz
News - Gaming and Culture
January 8, 2008

Security company Symantec has warned of an attack involving the subversion of routers.

The security company said this was the first time it had seen such an attack "in the wild," although the concept had been discussed a year ago by Symantec researchers, according to a Symantec blog post.

In the attack, which targeted users of an undisclosed Mexican bank, the intended victims received a spam e-mail claiming they had received an e-card, directing them to gusanto.com, a Spanish-language e-card site. However, the e-mail also had embedded HTML image tags that contained an HTTP get-request to the router to change its Domain Name System settings, according to Symantec's U.K. manager of quality assurance, Thomas Parsons.

The HTTP get-request redirects traffic flowing over the router to a specific IP address when the user attempts to access six domain names that are banking-related. Symantec requested that ZDNet UK not publish the IP address.

The attack is made possible by a cross-site scripting vulnerability in routers made by broadband-equipment company 2Wire that was reported in August last year, according to Symantec. Parsons said this was "a simple hack" and advised small to medium-size businesses to change default security settings on routers and educate users about clicking on suspicious links.

Tom Espiner of ZDNet UK reported from London.

See more CNET content tagged:
2Wire, e-card, router, Symantec Corp., XSS

Add a Comment (Log in or register) 2 comments

No surprise

by alegr January 24, 2008 11:45 AM PST

GET request is used to change settings in a popular router design by certain company whose name starts with 'C' and ends with 't'. The sad thing is that the product managers were warned about that four years ago.
Any webpage can issue GET request to your router, with arbitrary arguments, that's it. Should have used POST.

Reply to this comment

Need security, not POST
by magick_samurai January 25, 2008 9:16 AM PST: POST isn't secure enough either, tho it does provide a bit more than GET. If you viewed a site they could still post to the router with a form and javascript. The GET method simply allows the attack to be done without javascript, using an image tag or the like.

The basis of this attack, while using XSS, is really more of a CSRF attack (Cross site referrer forgery.)

The users who this affect are ones logged into the router without login out (most routers use .htaccess and don't support logging out without clearing private data.)
These authenticated users are used to send data and change settings. Simple referrer checking in the router's web-interface programming would eliminate most of these problems.

Latest tech news headlines

Microsoft-HP cashback saga continues
Posted in Beyond Binary by Ina Fried

December 2, 2008 9:52 PM PST
Conde Nast to shutter teen site Flip.com
Posted in News - Digital Media by Steven Musil

December 2, 2008 9:00 PM PST
Apple deletes Mac antivirus suggestion
Posted in News - Security by Elinor Mills

December 2, 2008 6:40 PM PST
See all headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets: Market news, charts, SEC filings, and more; Related quotes; Dow Jones Industrials (3.31%) 270.00 8,419.09; S&P 500 (3.99%) 32.60 848.81; NASDAQ (3.70%) 51.73 1,449.80; CNET TECH (3.64%) 36.93 1,051.13

Inside CNET News

Scroll Left Scroll Right

Business Tech
IPOs a thing of the past?
At AlwaysOn Venture Summit West conference, investment bankers, venture capitalists, and private equity players weigh in on the prognosis for the IPO market.
Gallery
Photos: Space station marks a decade aloft
The first pieces of the International Space Station went into orbit 10 years ago. Now a full-fledged lab facility, it continues to grow.
Security
Apple deletes Mac antivirus suggestion
Apple removes statement to customers urging them to use antivirus software, saying that Macs are safe "out of the box."
Beyond Binary
Microsoft-HP cashback saga continues
Earlier this week a Microsoft representative indicated that a deal offering 40 percent cash back at HP.com would be restarted following Black Friday glitches. Now that appears less certain.
Video
A toast to online wine
Digital Media
Conde Nast to shutter teen site Flip.com
The teenage girl social-networking site plans to shut down on December 16, according to an e-mail sent to users.
Video
Wi-Fi while you fly
Gaming and Culture
From Cy Young to video game fame
Tim Lincecum, one of the best pitchers in baseball, was chosen to be the cover athlete for 2K Sports' next baseball game. On Tuesday, he did a motion-capture session for the game.
Green Tech
Ta ta, Tesla
Are the Valley-based VCs and big-wigs who back Tesla Motors really serious about asking the federal government for low-interest loans?
Gallery
Photos: Top-rated reviews of the week
Here are a few of CNET Reviews' favorite items from the past week, including Adobe suites, laptop bags, and a Panasonic flat panel TV.
Crave
HTC focuses on phone design; acquires One & Company Design, Inc.
Looking to concentrate on design, smartphone manufacturer HTC acquires San Francisco-based design firm, One & Company Design, to help create its future devices.
Green Tech
Ford accelerates electric-vehicle plans
In its turnaround plan presented to Congress, Ford says it will invest billions in fuel efficiency and introduce a family of hybrid-electric and all-electric cars.