csrf change dns
DESCRIPTION
DNSChanger 2 exploiting your routersTRANSCRIPT
DNSchanger 2014DNSchanger 2014
Alfons Tanujaya
DNSchanger 2007
• Aktif 2007 - 2011
• Infeksi lebih dari 4 juta komputer PC dan Mac
• Online adv, spam, scam
• Keuntungan 140 milyar
• 8 Maret 2012, server bring down, kiamat kecil internet ?
DNSchanger 1
DNSChanger 2014 Symptom
What is this ?
• Antivirus merek apapun tidak bisa mengatasi malware ini.
• Tidak hanya berdampak pada Windows tetapi pada Linux, Mac dan Android phone.
• Sekalipun komputer di format, akan kembali lagi terjadi.
Sea-surf = CSRF
CSRF Cross Site Request Forgery
• A type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
• Attack is blind. Not good for credential stealing.
• But ordinary weapon in a smart criminal can be deadly.
DNSChanger 2014
• Changing DNS of vulnerable routers.
• Log all traffic proxy, credential leak.→• Lead to install malware.
• Lead to forgery website, can lead to leak of credential.
• Improper advertisement, porn, malware etc.
• How many victims ? 300.000 routers x 5 users = 1,5 million computers.
How it happen
http://192.168.1.1/userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2=192.168.1.199&Lease=120&gateway=0.0.0.0&domain=&dnsserver=162.248.99.162&dnsserver2=199.85.127.10&Save=%B1%A3+%B4%E6
List of vulnerable routers
• TP Link
• D-Link
• Micronet
• Tenda
Solution
Sea SurfSEA MONKEY
SOLUSI
• Upgrade firmware Tidak selalu sukses←• → OpenWRT
• Solusi, set dns di client dgn DNS isp / google, local DNS overpower router, kecuali dipaksa router
• T-FA Challenge token
• Tidak gunakan web based administration
• Gunakan https
• Gunakan browser berbeda khusus untuk administrasi router berbeda dengan browsing
get
Login form
Session Cookie
UNPS
Post Cookie
get
Auto submit form
Post Cookie
Resource
• http://cxsecurity.com/issue/WLB-2012100027