Friday, August 24, 2007

Distributed WiFi Scanning Through Malware

Distributed computing through malware, OSINT thought botnets, distributed password cracking and distributed malicious economies of scale - are all fully realistic nowadays. And so is a plugin for a popular RAT which is scanning for open WiFi networks based on an article released by the inframous 29a group :

"This plugin enables you to scan for available nearby WLANs. The bins (wifiC.dll and wifiS.dll) have been packed with UPX 3.00w. Place them in the \Plugin\ folder or load wifiC.dll manually to use the plugin."

Perhaps this is the perfect moment to comment on Maureen Vilar's email, a moderator for ClimatePrediction at BOINC's project who contacted me regarding my blog post on distributed computing through malware, and described the incident in details :

"The 5000+ computers attached to Wate's account were very different in profile from anormal DC farm and easily identified as abnormal. Attached computers are now being looked at by members much more critically. It now appears that the trojan that attached the computers to Wate's account and thus to boinc projects was probably bundled with P2P downloads.The owners of the 5000+ computers must not have scanned these P2Pdownloads, and many of them must have failed to investigate why their computers were probably running slowly at 100% CPU, or in thecase of laptops why they were in some cases doubtless overheating or the batteries running down. They must also have failed to check which programs were installed, even though many of the affected computers cannot have been running normally for everyday use. Imagine that many of these computers did not have an active or up-to-date firewall, or that firewall warnings were ignored. These were all basic security failures on the part of the owners of these 5000+ computers, some of which were powerful machines. The developers of legitimate software unfortunately cannot ensure that all computer owners worldwide implement basic security measures. The problem of Wate's account was first discovered by boinc team crunchers in Italy who took speedy action to inform the boinc development team in Berkeley. They in turn took rapid action to inform the administrators of the affected boinc projects. The Wate accounts on all the affected projects were disabled. Because boinc projects run a competitive credits system, it is in the interests of members to ensure that no-one is able to compete dishonestly."

To sum up - The BOINC's servers weren't breached and malware "pushed" into the participants' hosts through BOINC's client, instead BOINC's client got "pulled" from the infected PCs, so they started participating in ClimatePrediction. And obviously, they have anomaly detection practices ensuring such incidents get easily detected.

Detection rates for the WiFi plugin
:

wifiC.dll
AVG 2007.08.23 BackDoor.PoisonIvy.B
Ikarus 2007.08.23 Trojan-Downloader.Win32.QQHelper.vn
Webwasher-Gateway 2007.08.23 Win32.UPXpacked.gen!94 (suspicious)

File size: 198144 bytes
MD5: 15cbfa1ed47e45f30be0eb0dcd1ec5e3
SHA1: bdd9994a20b4ae753951c09506ae0e2db59f63e2

wifiS.dll
AntiVir 2007.08.23 BDS/BlackH.2005.A.1
AVG 2007.08.23 BackDoor.PoisonIvy.B
Panda 2007.08.23 Suspicious file
Webwasher-Gateway 2007.08.23 Trojan.BlackH.2005.A.1

File size: 10240 bytes
MD5: 11aa54103e7311ad23b4e60292dc9e82
SHA1: 59e7f0aaa8305ad0c5c830c16b531d1e2ab641b4

Consider the following scenarios :

- malware infected PCs actually opening a WiFi connection in a port-knocking nature to the wireless botnet master only
- no need for wardriving, as malware authors would quickly map the entire WiFi vulnerable population around a given region in the age of malware geolocating IPs using commercial services
- once a PC gets infected inside an organization, it can automatically turn into a wardriving zombie exposing vulnerable WiFi connections within
- Bluetooth scanning plugins expose even more vulnerable Bluetooth-enabled devices in the range of the infected host

No comments:

Post a Comment