Aggressive Wi-Fi attack malware developed - in a lab

News by Steve Gold

New Wi-Fi malware has the potential to cause serious problems if it falls into the wrong hands, according to Professor John Walker, Nottingham-Trent University.

A research team with Liverpool University has created an aggressive proof-of-concept piece of malware designed to propagate via Wi-Fi and use multiple attack vectors to infect any computer system it encounters.

Details of the project will be published in the EURASIP Journal on Information Security, and build on earlier research from the team.

Known as Chameleon, the malware has been designed to rotate through multiple known structural weaknesses in wireless APs (access points) and systems, as well as avoiding detection using multiple methodologies.

The good news is that the code has no payload, but simulated tests carried out in Belfast and London have proven the malware as successful in propagating itself across wireless networks.

What is interesting about the tests are that the University's School of Electrical Engineering, Electronics and Computer Science reports the code was able to successfully infect remote systems, since traditional security software looks for malware either on the host system or the Internet – not across a wireless link.

This suggests the malware uses a malformed packet header approach to compromising the Wi-Fi routers and systems it encounters.

In addition, by adopting an interrogative approach to the routers - similar to Wi-Fi sniffing apps such as Fing - the code can also gain access to other computers that are also wirelessly linked to the router concern.

Alan Marshall, professor of network security with the University, said that, when Chameleon attacked an AP, it did not affect how it worked, but was able to collect and report the credentials of all other WiFi users who connected to it. "The virus then sought out other Wi-Fi APs that it could connect to and infect,” he explained.

Professor Marshall went on to say that Wi-Fi connections are increasingly a target for computer hackers because of well-documented security vulnerabilities, which make it difficult to detect and defend against a virus.

Professor John Walker of Nottingham-Trent University's school of science and technology, said he was unsure of the reasoning behind publishing the methodology on how the code operated – he also warned of the dangers of the malware leaking beyond the research team.

"Now they have created this code, they need to look after it. They should not be taking the malware home, nor should they be leaving it, for example, on a laptop that can be accessed by other people," he said, adding that what the researches have created sounds more like an APT (Advanced Persistent Threat) than a simple piece of code.

"It sounds almost like a mini-Stuxnet, as it has the potential to cause serious problems if it falls into the wrong hands,” he explained.

Rob Shapland, technical operations manager with pen-testing specialist First Base Technologies, said that Chameleon is a very clever piece of code and warned that it would be a relatively simple task to add a payload to the malware. "It's interesting that it blacklists protected Wi-Fi APs," he said, adding that the malware's methodology is an evolution of earlier attack mechanisms.

Keith Bird, UK managing director with security vendor Check Point, said that Chameleon is a really interesting development, as it mirrors how real-world attackers are increasingly exploiting new vectors and devices that are not protected by traditional anti-malware measures. 

"The spam attack over Christmas 2013 that used more than 100,000 consumer devices - including Web-connected refrigerators, smart TVs and multimedia hubs - showed how vulnerable such smart devices are," he said, adding it also illustrated how open networks cannot be trusted.

"It is critical it is that users change the settings for these devices away from the factory defaults, to stop hacking and other forms of attack," he explained.

Brendan Rizzo, EMEA technical director with Voltage Security, said that Chameleon's development demonstrates the further deterioration of the traditional perimeter-based approach to security. 

People must now assume that any network and any firewall can be breached. "Instead they must focus on protecting the data itself so that if an attacker does reach their sensitive data, it remains protected with strong encryption," he explained.

Michael Sutton, VP of security research with Zscaler, said that Chameleon should be considered a worm, with the best defence being to ensure that default passwords on wirelessly connected hardware are changed - but sadly, he added, this is a basic control that is often ignored.

In related news, Bluebox Security CTO Jeff Forristal showcased one Wi-Fi attack method that could trick smartphones into connecting to spoofed service set identifiers (SSIDs), used to uniquely identify wireless networks, at this week's RSA Conference.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews