Hackers exploit vulnerability in 2Wire modems to steal Mexican bank accounts

In a recent security alert, found on several high profile security websites, it has been revealed that hackers, in parts unknown, are exploiting vulnerabilities in certain models of the 2Wire brand of DSL modems, to steal bank accounts - in Mexico. These modems are also in use in the US, so don't get smug about this happening in Mexico only. That is probably a test run by the hackers, before hitting the US based modems.

The modus operandi of this attack begins with a spammed email that is rigged with hidden codes that are embedded in an image tag, plus a link to view a hostile video, where another piece of malware will try to install itself (TROJ_QHOST.FX). People who don't have the targeted modem won't be affected directly by these codes - this time. On the other hand, people who do have these modems and have not created a personal password for the modem's administrator login, will have these hidden codes passed directly to it. The codes will poison the DNS entry for banamex.com, which is the largest bank in Mexico. This DNS poisoning will automatically redirect all requests for banamex.com to a look-alike phishing website, where, when people login to their account, that login information will be added to the database owned by the criminals behind this exploit. These people will have their accounts emptied, unless they realize that they've been duped before the hackers get to their money (not likely).

Because this attack involves poisoning the DNS entries for the bank's website, in the modem itself, even typing banamex.com — which is the legitimate, fully-qualified domain name for this bank — leads to the fraudulent site instead. This is the same type of exploit that occurs when spyware poisons a computer's HOSTS file, to redirect specific requests to a hostile address. This exploit occurs invisibly for users of the affected modems who have not changed the default administrator password, which is null (none set). If they have created a personal password this exploit will fail. About 2 million of the affected modems have been shipped to customers in Mexico, all without an administrator password set. It is up to the recipients to create an administrator password.

This is a known, unpatched exploit, that was first reported on August 17, 2007. It is known as an "xslt Cross-site request forgery" (CSRF) vulnerability, which affects 2wire modem/router models 1701HG, 1800HW, and 2071, with 3.17.5, 3.7.1, and 5.29.51 software. It allows remote attackers to create DNS mappings as administrators, and conduct DNS poisoning attacks, via the NAME and ADDR parameters. That demonstrates the importance of changing the default modem password to one that is not easily guessed. If you have one of these modems and have not already created a strong administrator password, do so as soon as possible!

Background
-------------
This is the most popular router in Mexico and the default installation from the ISP has no system password.

Vulnerability
----------------
It is possible to send a request to the router that will modify its configuration.

It does not validate POST, or Referer or Anything, unless the administrator password has been set by the customer

Exploit
----------------
The client PC sends a request to the router with the configuration changes and they are set instantly.

[examples]

Set a password (NewPassword):
http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NewPassword&PASSWORD_CONF=NewPassword

Add names to the DNS ( 172.16.32.64 www.example.com):
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAM
E=www.example.com&ADDR=172.16.32.64

Disable Wireless Authentication
http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&N
AME=encrypt_enabled&VALUE=0

Set Dynamic DNS
http://192.168.1.254/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&I
P_DYNAMIC=TRUE

Also, disable the Firewall, reset the device, etc.

Solution
----------------
To undo the redirect to this phishing website you must reset your 2wire modem to its factory default state. Warning: This will wipe out all saved rules and your login credentials! Have your DSL user name and password ready to input into the modem, after you reset it, or you will not be able to get back onto the Internet.

If your modem has a small hole, with a reset button on the back, or bottom, insert a paper clip or ballpoint pen into the hole, push it against the recessed button and hold it in for about 2 minutes, with the power on. After two minutes let go of the button, wait about ten seconds, then, unplug the power to the modem for another two minutes. Plug it back in and let it stabilize. You will have to input your login credentials to get logged onto the DSL service. To do so, open your browser and go to this address: http://gateway.2wire.net/ . You can also access the modem/router, if has no other routers between it and your computer, by typing in: http://192.168.1.254, where you can input your login credentials.

If your modem does not have a reset button you can reset it electronically, by using this method. Open your web browser and type this address into the address/location bar: http://gateway.2wire.net/management or http://192.168.1.254/mdc . On that page you can perform administrator password creation and reset the modem to it's default state (under Troubleshooting, click on: RESET TO FACTORY SETTINGS).

After you reset the modem to factory settings and input your login credentials, log back onto the management page and click on "Run Setup Wizard, " where you can create a strong administrator password and disable unnecessary features, like remote administration, to prevent this type of exploit from repeating itself.

Sources:
----------------
http://www.securityfocus.com/archive/1/archive/1/476595/100/0/threaded

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4387

http://xforce.iss.net/xforce/xfdb/36044

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389

http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/