Whats the worst that could happen??

Duggy made a comment on my post WEP Broken. Again. Even worse this time that had me thinking. I was going to simply put a comment there but it occured to me that It might be better to make an actual entry out of it.

So someone has broken the WEP encryption on your Wireless Network - what is the worst that they can do?? Here is a list of things that they can do (quite easily). All of these are real world cases and are either taken from personal experience or well documented cases.

1. GAIN FULL CONTROL OF YOUR ROUTER.
Most Routers come with a default login and password, for example Eircom are even nice enough to call out their default settings on their tech support page. Once an attacker has access to the router it is trivial to either have them route all of your traffic through another machine on the web, or to simply change your DNS settings to evilDNS.com so that every page you request goes through them instead.
The ramifications of that should be pretty obvious - all of your passwords, logins, financial information will shortly be compromised. In addition, as the router can be used to redirect to any site the attacker likes they can easily aim a tonne of exploits at your machine in order to get some malware running on it. Congratulations, you are now generating a tonne of SPAM and your Bank account is being emptied out, and sent via Western Union to an address in Russia.

2. HOST PORNOGRAPHY
It is very common for Child Pornography rings to use unsecured (or better yet easily breakable) Wireless Networks to upload / download their images and videos. They do this as it is obviously very difficult to trace back to them, as they sit in their car near your house with their laptop (or quite some distance away using an antanee). When the law enforcement agencies who monitor these sites trace back IPs it will be to the victims network. Quite often these attackers will leave some images on shared drives belonging to the victim in order to further lay the blame at the feet of the helpless victim while they get away scot free.

3. USE YOUR COMPUTER AS THE BASIS OF AN ATTACK
Obvious really, they can use your network to attack other peoples. Guess who will get the blame.

4. BLACKMAIL
Assuming that the attackers can read all of your mail, see everysite you visit etc (and they know who you are and where you live, after all they are a stones throw away), it is not hard to gather enough information on something with which to blackmail you. Simple case, attacker lives in the apartment next door and notices that the victim comes home at 5.30 everyday, and their wife gets in at 6.30 . Everyday during that our the victim logs onto all of their favourite Porn sites. How much is the victim willing to pay not to have the list of all sites visited delivered to their wife at her place of work?

5. GOOD OLD FASHIONED BANDWIDTH THEFT
Last (well there are loads of other things, but I should get back to work) but not least, the attacker can run up your download caps in no time. One attacker using Bittorrent everyday for 24 hours using your network won't take long to break through the download cap put in place by your provider, at which point the victim will be paying by the Mb, and will be facing quite a hefty phonebill at the end of it all.

Hope that answers the question, everyone else feel free to shout in with all of their thoughts on other horrible stuff an attacker can do.

And the winner is ...

Also up on Trend Micro

Who had placed their money on Storm eh? Hope you got good odds.

Needless to say the Storm network has morphed once more, not wanting to be left out during the Halloween festivities.

The site goes under the title of "Dancing Skeleton" and the executable this time is called "Halloween.exe". The site features quite an entertaining Dancing Skeleton game (complete with some good old festive exploits for good measure). As if that was not bad enough, the Russian Business Network has shown that there is truely no limit to their depravity, as they have resurrected none other than "Boom boom boom boom" by the Vengaboys as the background music. The file is downloaded from http://www.boogiewoogiedancingbones.com/amore.mid

Obviously avoid visiting these sites completely, and ensure that your AV products are up to date. Happppyyyyy Halllooowweeen!!!

Heads up - Watch out for girl.exe

Hey Everyone, Keep an eye out for a malicious file called girl.exe

The threat arrives in a zip file (girl.zip) attached to an email. The mail has subject lines such as "Something Hot" and "Here it is" and contains the text:

Good morning, dear Friend!

Wanna see very sexy nude [INSERT CELEBRITY HERE]
She slowly undressed and shows her...
See in your attachment.

I've seen both Holy Berry (ther misspelling not mine) and Angelina Jolie used.

Once run it creates a service (called "Runtime") which points to c:\windows\system32\driver\runtime.sys

The threat uses a rootkit to hide this service/file, and also to hide a hidden iexplore.exe window.

The IExplore traffic is also rootkited on the machine, but it contacts

[REMOVED]/s_60_3232286592?m=3&a=1&hdd=[PILE O'TEXT]

Which in turn returns a copy of the sys file. This file is saved as c:\windows\system32\driver\runtime2.sys and then c:\windows\system32\driver\runtime.sys is deleted. The services pointing to this updated sys file is called "Runtime2".

It also downloads a SPAM email template from the same site, and then has some communication with 216.195.[BLOCKED], recieving commands from a control server.

After this it starts to run MX queries against a huge amount of mail servers. I have not seen it actually start spamming yet, but its probably only a matter of time...

Something wicked this way comes....

As probably everyone is aware Halloween takes place tomorrow on October 31st. Malware has a long history of exploiting this particular holiday for its social engineering tricks, all the way back to 1991 when the Halloween Virus showed up.


That threat was a file infector that triggered every Halloween, and was so named because it contained the string "Happy Halloween". This was a proper old style virus well before the days of phishing, credit card fraud, spam, rootkits etc - it just spread.

Tomorrow I doubt we will be so lucky, it will be interesting to see what threat will be the first to exploit this particular holiday. The safe bet of course is the Storm network, courtesy of the RBN, however with rumors that they are having their own problems from all of their media attention, someone else may sneak in and claim the prize.

Needless to say, watch this space, and for the love of god don't open anything called pumpkin.exe

Storm - The New Global Sharing Network !?!

EDIT: Also up on Trend Micro

While testing IP addresses that had previously been known to serve Storm samples, we came across a nice surprise. Although the Storm network has not yet started to send a new wave of emails, it looks like they are in the process of setting up the sites to handle them, so expect a new wave shortly.

As can be seen in the screenshot below,the site will be using the name "Krackin v1.2" , so it looks that the Laughing Pyscho Kitty Cat has been put to the rest (poor thing).



This time around the executable name is krakin.exe , but apart from the name change all of the usual storm attributes are there. Upon execution the victim will join the now infamous Storm P2P Network where their machine may be used for any number of criminal purposes. Not quite "The New Global Sharing Network" that the victim had been hoping for...

Sense of Humour from the RBN??

I've made several posts on this blog about the Storm Worm and the Russian Business Network already so people who read this probably have a good idea what they are. In addition to spreading itself via social engineering tricks like ArcadeWorld or The Laughing Kitty , the Storm Network also sends out phenomenal amounts of stock SPAM. I've become very used to seeing this spam of late so I was quick to recognise a mail when it arrived in my inbox.

These SPAM messages are normally randomly generated with only the Stock staying the same (and they use some obfuscation on that also). Having said that, check out the first line of this mail...

EXTO Is Ready To Take US By Storm.

EXIT ONLY INC
EXTO.PK
Current Price: $0.43

Exit Only Inc. provides a whole new market for selling your used car
online for free and charging only for buyers info. This new approach to
the online used car market is expected to take US sellers by storm. The
revolutionary fee structure removes risk from sellers and moves cars
faster. This will behuge. Early morning news break announced that the US
site is ready to launch well ahead of schedule. Get in before this takes
off with that launch. Grab EXTO first thing Wednesday morning.

Sense of Humour? Well I found it funny. Needless to say, do not bother trying to buy these shares in the hopes of making tonnes of money - the only ones who ever really profit are the criminals themselves.

There are also 2 excellent articles on the RBN on the Washington Post here , here and here

WEP Broken. Again.Even worse this time.

Nice work to Pat "P.Fiddy" Fitzgerald, who beat me by about 10 minutes to publishing a blog on the Eircom WEP key issue :) Go have a read it on the Symantec blog here

An actual implementation of the attack is now online, and linked on forums etc all over the place. In the interest of full disclosure (and as Eircom has already gone VERY public with this posting on their SITE, the RTE news and several national newspapers), the POC is located at http://s4dd.yore.ma/eircom/ with several downloadable version, as well as an online version of the tool.

Credit for the actual crack has to go to Kevin Devine though, who has a full set of details on his site at http://h1.ripway.com/kevindevine/wep_key.html including source code. Interesting and well worth a read. Nice work Kevin.

So what does all this mean? Well for starters as per Eircom's own advice you should reconfigure your router to use WPA . WPA is a big improvement on WEP (which can be broken regardless of the Eircom method in about 10 minutes on a normal computer), but is still vulnerable to a dictionary attack so I would also advise that when chosing a password to generate your WPA key, that you use a Strong one.

It remains to be seen how many Eircom users will actually update their routers, I have the feeling that this issue will be in the wild for quite some time to come. Even though WEP is an already flawed algorithm, as is so often the case in Crypographic attacks, this time it was the implementation that was to blame.