Announcement

Collapse
No announcement yet.

An old virus has risen from the dead!

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    An old virus has risen from the dead!

    Researchers in the United Kingdom have discovered/invented (?) what is called "Chameleon AP", a polymorphic virus that passes from Wifi AP to Wifi AP without using the Internet backbone, successfully evading Internet security features, such as deep packet inspection. It was reported today but the authors first published about their creation in July of 2013.

    http://jis.eurasipjournals.com/content/2013/1/2
    A new form of compromised AP attack has been demonstrated and analysed in, called the 'Chameleon’ attack, perpetrated by the Chameleon virus. This attack replaces the firmware of an existing AP and masquerades the outward facing credentials. Thus, all visible and physical attributes are copied and there is no significant change in traffic volume or location information. Hence, this attack is considered advanced and difficult to detect, as IDS rogue AP detection methods typically rely on a change in credentials, location or traffic levels. This work provides analysis of the Chameleon virus and demonstrates a method of detecting the propagation of the virus, as it constitutes an advanced rogue AP.
    A polymorphic virus by the same name was first noticed in 1990.
    http://virus.wikia.com/wiki/Chameleon
    I don't know if the authors used this virus or just borrowed its name.

    The principal steps of the Chameleon virus are as follows:
    1. Establish a list of susceptible APs within the current location.
    2. Bypass any encryption security on the AP.
    3. Bypass the administrative interface on the AP.
    4. Identify and store AP system settings.
    5. Replace the AP firmware on vulnerable APs with the virus-loaded firmware.
    6. Reload the victim AP system settings.
    7. Propagate virus (return to 1).
    Propagation of a virus over the wireless interface, rather than via wired backbone, presents several benefits for propagation. Firstly, the propagation of the virus would continue despite upgrades to backbone internet virus security methods, such as deep packet inspection. Without significant changes to AP operations, the attack can only be detected using WiFi frames. Secondly, the presence and volume of infected devices could not be assessed using existing forensic methods such as connection to suspicious IPs or known malicious domains. Thirdly, the virus can infect nodes which are not connected to the backbone internet. Finally, this virus is uniquely able to target APs within a specific region as propagation is based on proximity. Each of these factors presents additional challenges with detection of the virus if it is restricted to propagating over the wireless medium.

    I've highlighted what seems to me is a significant and difficult step. I cannot imagine the virus downloading firmware for any and every wifi modem it encounters, infecting it and then burning it. The virus must look for specific models of Wifi modems because burning firmware on a modem is not a simple process. The virus firmware had to be infected ahead of time so that it could be easily downloaded and installed onto the target wifi. Steps 2 and 3 seem difficult as well.
    Last edited by GreyGeek; Feb 26, 2014, 02:23 PM.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.
    Tags: None
    • Top
    • Bottom
    #2
    Hmm yeah, I guess the firmware would have to be something really popular. Not sure about in your area, but most of the routers here (about 70% between them) are either BT Home Hubs or VirginMedia Super Hubs (based on personal experience and SSIDs, which often reveal the manufacturer's name). I guess there are enough of these that overlap to allow the virus to spread over wide areas. We're probably more at risk than you guys because of our population density, too.

    Lots of commercial routers support WPS pin setup, which I believe I read is flawed, which is the reason it's unsupported in *wrt. That might be enough to get past no.2. I wonder how random the randomised admin passwords really are for access points, or if there's a pattern?
    samhobbs.co.uk
    • Top
    • Bottom

    Comment

      #3
      From what I've read there is a "pattern".
      The most popular password is "123456" and next to it is "password".
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.
      • Top
      • Bottom

      Comment

        #4
        Not on newer routers though, and since you need overlapping access points that probably wouldn't be good enough to spread far. Assuming the passwords are not changed from the defaults, you're left guessing seemingly random alphanumeric strings... I'm wondering if they're truly random or if there could be a pattern.
        samhobbs.co.uk
        • Top
        • Bottom

        Comment

          #5
          When in the UK and using WIFI I always notice the abundance of BT routers, I'm pretty sure the majority of them are of similar design.
          Similar is bound to happen at other places.
          Another reason to fight mono-culture.
          • Top
          • Bottom

          Comment

            #6
            Yep, I'd say this is fairly typical:

            Code:
            feathers-mcgraw@Hobbs-T440s:~$ sudo iw dev wlan0 scan | grep SSID
        SSID: Turbo-Hub-5GHz
        SSID: BTHub3-HK7H
        SSID: BTWiFi
        SSID: BTWiFi-with-FON
        SSID: BTHub3-TTX2
        SSID: BTWiFi-with-FON
        SSID: Shop
        SSID: Turbo-Hub-2.4GHz
        SSID: SKY52771
        SSID: SKYD9728
            samhobbs.co.uk
            • Top
            • Bottom

            Comment

              #7
              Heh, good point to do a scan, something I hardly ever do at home.

              With the laptop, the monoculture is worse at my place:
              Code:
                      SSID: Area51
        SSID: Ziggo
        SSID: SX55154DCCD
        SSID: Ziggo6927C_EXT
        SSID: Ziggo6927C
        SSID: Ziggo
        SSID: VGV75197F96AC
        SSID: Ziggo52348
        SSID: Ziggo
        SSID: Ziggo82B46
        SSID: Ziggo
              With a 'high' gain antenna:
              Code:
                                  ESSID:"Ziggo6927C_EXT"
                    ESSID:"Tele2"
                    ESSID:"HG655D-89997B"
                    ESSID:"Ziggo52348"
                    ESSID:"Ziggo"
                    ESSID:"Area51"
                    ESSID:"Ziggo278E8"
                    ESSID:"Ziggo"
                    ESSID:"SX55154DCCD"
                    ESSID:"VGV75197F96AC"
                    ESSID:"Ziggo82B46"
                    ESSID:"VGV75196E8B3F"
                    ESSID:"Ziggo467EC"
                    ESSID:"Ziggo"
                    ESSID:"VGV75196A6B9C"
                    ESSID:"VGV75198E315A"
                    ESSID:"HUAWEI-H9KU4H"
                    ESSID:"Ziggo51858"
                    ESSID:"a4g9l778bffn13pin"
                    ESSID:"tele2-7F69"
                    ESSID:"Ziggo"
                    ESSID:"Ziggo"
                    ESSID:"VdLinden"
                    ESSID:"SpeedTouch572A17"
                    ESSID:"H220N881024"
                    ESSID:"Ziggo45164"
                    ESSID:"HG655D-CB616B"
                    ESSID:"Ziggo"
                    ESSID:"SitecomB09FFC"
                    ESSID:"SpeedTouchC5D526"
                    ESSID:"SiemTruusApple"
                    ESSID:"Ziggo6927C"
                    ESSID:"H220N57EF7C"
                    ESSID:"ARV7519A35C87"
                    ESSID:"EnGeniusCCCDB0"
                    ESSID:"Sitecom03976C"
                    ESSID:"VGV75194A7426"
                    ESSID:"@Home73958"
                    ESSID:"Ziggo59641"
                    ESSID:"Ziggo"
              Knowing my neigbours I have no illusions (m)any of them changed the default password...
              A couple of years ago SpeedTouches had a password that could be deduced from their SSID, those should have been replaced.
              Obviously I can't mention what's behind Area51.
              • Top
              • Bottom

              Comment

                #8
                Interesting that so many of those SSIDs are just random strings, it would be a real pain trying to easily identify which one is yours (if yours was one of those).

                However, if all routers had SSIDs with random strings it would make things more diffucult for malware like this to identify targets... for example if it was set up to target BT routers, identifying all routers with BT in the name is pretty easy, but if they all had names like "H220N57EF7C" you'd at least have to look up the MAC address and figure it out from there.

                I can't see manufacturers changing their default SSIDs so that they don't include the company name though, it's such easy free advertising!
                samhobbs.co.uk
                • Top
                • Bottom

                Comment

                Previous template Next
                Working...
                X