I'm thinking ActiveX controls would be especially vulnerable, as well as just inserting "Install our new Google Toolbar!" into the Google homepage.
Or hell, just put "Google is giving away one billion dollars! Install this Google Toolbar to learn more!" or "Google has detected that your computer is infected!". Because it'll be on the *actual* Google homepage, with the URL in the address bar starting with the real "http://google.com"; I bet you'd get some installs out of that. Even SSL/HTTPS would be somewhat vulnerable: it'd throw up a ton of certificate warnings, but people are programmed to ignore those -- especially when they're going to sites they trust. -david Alness, Andy wrote: > > I don't see any way to protect against this aside from suggestions to use > DNSSEC or SSL (or only use otherwise secured or switched networks.) In > practice the attack might be complicated by the client. It's entirely > possible the victim's resolver will get the 2nd response and cache that -- > who knows. > >> But wow, I'm amazed this doesn't happen more. It seems like this would be >> the most obvious way to spread a virus. Indeed, I could imagine creating a >> proxy that auto-infects every executable file that comes through it (just >> add a silent rootkit installer that runs before the real installer). > > For one you're limited to attacking whomever happens to be installing > software on your unencrypted wlan. MITM'ing some company's autoupdater is > probably your best hope but those likely use SSL or some form of content > verification before executing. The attack seems too limited to be a very > effective virus propagator to me but I've never tried to propagate a virus. > Might be a useful cookie fisher maybe, but they'd be non-SSL cookies so > they're probably worthless. You could probably induced panic at your local > Starbucks by spoofing cnn.com or something. Might be a good way to clear the > place out if you need a seat. > > -Andy > > > -----Original Message----- > From: David Barrett [mailto:dbarr...@quinthar.com] > Sent: Monday, May 25, 2009 3:53 PM > To: theory and practice of decentralized computer networks > Subject: Re: [p2p-hackers] DNS hijacking? > > True, but it seems unnecessarily hard core: it affects all your traffic, > which means you need to do a lot more work than set up a simple HTTP gateway. > > Furthermore, the DNS approach lets you selectively hijack those specific > domains that you have an attack package ready for: there's no value in > hijacking a domain you aren't prepared to abuse, as it just increases the > chance of detection. > > But wow, I'm amazed this doesn't happen more. It seems like this would be > the most obvious way to spread a virus. Indeed, I could imagine creating a > proxy that auto-infects every executable file that comes through it (just add > a silent rootkit installer that runs before the real installer). > > -david > > Alex Pankratov wrote: >> The exact same effect can be achieved with ARP spoofing. The hijacker >> simply convinces your machine that he is a default gateway, and voila, >> he has full access to all your Internet- bound traffic. >> >> Alex >> >>> -----Original Message----- >>> From: p2p-hackers-boun...@lists.zooko.com [mailto:p2p-hackers- >>> boun...@lists.zooko.com] On Behalf Of David Barrett >>> Sent: May 25, 2009 2:47 PM >>> To: theory and practice of decentralized computer networks >>> Subject: Re: [p2p-hackers] DNS hijacking? >>> >>> It's not eavesdropping I'm concerned about. I'm thinking with this >>> attack you could inject malicious code into otherwise innocuous HTTP >>> traffic. For example, you might add a "Install the latest Google >>> Toolbar!" link straight into the live, functional Google homepage, >>> and even make that link look like it's coming straight from >>> http://google.com, but then host a virus-infected version of Google >>> Toolbar. >>> >>> -david >>> >>> Tien Tuan Anh Dinh wrote: >>>>> I'm primarily thinking of a wifi office or internet cafe; can't >>>>> everybody sniff everybody else's traffic (including DNS requests)? >>> Does >>>>> this mean that every wifi network is vulnerable to this really easy >>>>> attack, and there's basically no defense other than upgrading all >>>>> of >>> DNS? >>>> When your traffic is in plain-text while you're in a wifi cafe, you >>> give >>>> your privacy to the one operating that access point already. >>>> >>>> https was designed for these scenarios. When your traffic is >>> sensitive, >>>> use https. >>>> >>>> I'm wondering what would one gain by eavesdropping unimportant >>> traffic >>>> of others in an Internet cafe? I'm not sure if this attack can cause >>> any >>>> noticeable damage. >>>> >>>> A. >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> p2p-hackers mailing list >>>> p2p-hackers@lists.zooko.com >>>> http://lists.zooko.com/mailman/listinfo/p2p-hackers >>> _______________________________________________ >>> p2p-hackers mailing list >>> p2p-hackers@lists.zooko.com >>> http://lists.zooko.com/mailman/listinfo/p2p-hackers >> _______________________________________________ >> p2p-hackers mailing list >> p2p-hackers@lists.zooko.com >> http://lists.zooko.com/mailman/listinfo/p2p-hackers > > _______________________________________________ > p2p-hackers mailing list > p2p-hackers@lists.zooko.com > http://lists.zooko.com/mailman/listinfo/p2p-hackers > _______________________________________________ > p2p-hackers mailing list > p2p-hackers@lists.zooko.com > http://lists.zooko.com/mailman/listinfo/p2p-hackers _______________________________________________ p2p-hackers mailing list p2p-hackers@lists.zooko.com http://lists.zooko.com/mailman/listinfo/p2p-hackers
