What's This? Hacker Drive-By's?

Drive-by Web attack aimed at home routers

Too lazy to change default passwords? You'll pay.

Robert McMillan

February 15, 2007 (IDG News Service) -- If you haven't changed the default password on your home router, do so now.
That's what researchers at Symantec Corp. and Indiana University are saying, after publishing the results of tests that show how attackers could take over your home router using malicious JavaScript code.
For the attack to work, the bad guys would need a couple of things to go their way. First, the victim would have to visit a malicious Web site that served up the JavaScript. Second, the victim's router would have to still use the default password that it's pre-configured with it out of the box.
In tests, the researchers were able to do things like change firmware and redirect a D-Link Systems Inc. DI-524 wireless router to look up Web sites from a DNS (Domain Name System) server of their choosing. They describe these attacks in a paper (PDF format), authored by Sid Stamm and Markus Jakobsson of Indiana University, and Symantec's Zulfikar Ramzan.
"By visiting a malicious Web page, a person can inadvertently open up his router for attack," the researchers write. "A Web site can attack home routers from the inside and mount sophisticated... attacks that may result in denial of service, malware infection, or identity theft."