The malicious code changes the victimized PC's DNS server settings, referring all requests to the attacker's server, researcher Zulfikar Ramzan said on the Security Response blog on Tuesday.
Ramzan, who discussed proof-of-concept drive-by pharming on the blog about a year ago, said that Symantec had found an in-the-wild variant posing as an e-card with a malicious IMG tag. The malware modified DNS settings to redirect traffic to a different – and likely malicious – webpage.
“Given the simplicity of the attack, and the potential widespread implications, we always felt that it would simply be a matter of time before it happened,” said Ramzan. “The building blocks have been out there for some time, and anyone with sufficient familiarity could easily put them together. I've said before, and I'd like to reiterate, that the technical details of the attack are not nearly as noteworthy as the potential widespread implications.”
The scheme requires a malware author to guess the victim's administrative password – not a difficult task since many end-users employ a default or are not aware a password even exists, according to Ramzan.
Symantec advised end-users to choose complicated passwords and reset the router. End-users who believe they are victims should change their website passwords.