Announcement

Collapse
No announcement yet.

An old virus has risen from the dead!

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    An old virus has risen from the dead!

    Researchers in the United Kingdom have discovered/invented (?) what is called "Chameleon AP", a polymorphic virus that passes from Wifi AP to Wifi AP without using the Internet backbone, successfully evading Internet security features, such as deep packet inspection. It was reported today but the authors first published about their creation in July of 2013.

    http://jis.eurasipjournals.com/content/2013/1/2
    A new form of compromised AP attack has been demonstrated and analysed in, called the 'Chameleon’ attack, perpetrated by the Chameleon virus. This attack replaces the firmware of an existing AP and masquerades the outward facing credentials. Thus, all visible and physical attributes are copied and there is no significant change in traffic volume or location information. Hence, this attack is considered advanced and difficult to detect, as IDS rogue AP detection methods typically rely on a change in credentials, location or traffic levels. This work provides analysis of the Chameleon virus and demonstrates a method of detecting the propagation of the virus, as it constitutes an advanced rogue AP.
    A polymorphic virus by the same name was first noticed in 1990.
    http://virus.wikia.com/wiki/Chameleon
    I don't know if the authors used this virus or just borrowed its name.

    The principal steps of the Chameleon virus are as follows:
    1. Establish a list of susceptible APs within the current location.
    2. Bypass any encryption security on the AP.
    3. Bypass the administrative interface on the AP.
    4. Identify and store AP system settings.
    5. Replace the AP firmware on vulnerable APs with the virus-loaded firmware.
    6. Reload the victim AP system settings.
    7. Propagate virus (return to 1).
    Propagation of a virus over the wireless interface, rather than via wired backbone, presents several benefits for propagation. Firstly, the propagation of the virus would continue despite upgrades to backbone internet virus security methods, such as deep packet inspection. Without significant changes to AP operations, the attack can only be detected using WiFi frames. Secondly, the presence and volume of infected devices could not be assessed using existing forensic methods such as connection to suspicious IPs or known malicious domains. Thirdly, the virus can infect nodes which are not connected to the backbone internet. Finally, this virus is uniquely able to target APs within a specific region as propagation is based on proximity. Each of these factors presents additional challenges with detection of the virus if it is restricted to propagating over the wireless medium.

    I've highlighted what seems to me is a significant and difficult step. I cannot imagine the virus downloading firmware for any and every wifi modem it encounters, infecting it and then burning it. The virus must look for specific models of Wifi modems because burning firmware on a modem is not a simple process. The virus firmware had to be infected ahead of time so that it could be easily downloaded and installed onto the target wifi. Steps 2 and 3 seem difficult as well.
    Last edited by GreyGeek; Feb 26, 2014, 02:23 PM.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    #2
    Hmm yeah, I guess the firmware would have to be something really popular. Not sure about in your area, but most of the routers here (about 70% between them) are either BT Home Hubs or VirginMedia Super Hubs (based on personal experience and SSIDs, which often reveal the manufacturer's name). I guess there are enough of these that overlap to allow the virus to spread over wide areas. We're probably more at risk than you guys because of our population density, too.

    Lots of commercial routers support WPS pin setup, which I believe I read is flawed, which is the reason it's unsupported in *wrt. That might be enough to get past no.2. I wonder how random the randomised admin passwords really are for access points, or if there's a pattern?
    samhobbs.co.uk

    Comment


      #3
      From what I've read there is a "pattern".
      The most popular password is "123456" and next to it is "password".
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.

      Comment


        #4
        Not on newer routers though, and since you need overlapping access points that probably wouldn't be good enough to spread far. Assuming the passwords are not changed from the defaults, you're left guessing seemingly random alphanumeric strings... I'm wondering if they're truly random or if there could be a pattern.
        samhobbs.co.uk

        Comment


          #5
          Yep, I'd say this is fairly typical:

          Code:
          feathers-mcgraw@Hobbs-T440s:~$ sudo iw dev wlan0 scan | grep SSID
                  SSID: Turbo-Hub-5GHz
                  SSID: BTHub3-HK7H
                  SSID: BTWiFi
                  SSID: BTWiFi-with-FON
                  SSID: BTHub3-TTX2
                  SSID: BTWiFi-with-FON
                  SSID: Shop
                  SSID: Turbo-Hub-2.4GHz
                  SSID: SKY52771
                  SSID: SKYD9728
          samhobbs.co.uk

          Comment


            #6
            Interesting that so many of those SSIDs are just random strings, it would be a real pain trying to easily identify which one is yours (if yours was one of those).

            However, if all routers had SSIDs with random strings it would make things more diffucult for malware like this to identify targets... for example if it was set up to target BT routers, identifying all routers with BT in the name is pretty easy, but if they all had names like "H220N57EF7C" you'd at least have to look up the MAC address and figure it out from there.

            I can't see manufacturers changing their default SSIDs so that they don't include the company name though, it's such easy free advertising!
            samhobbs.co.uk

            Comment

            Working...
            X