Slashdot Mirror

← Back to Stories (view on slashdot.org)

Informational Wi-Fi Traffic As a Covert Communication Channel For Malware

Posted by samzenpus on from the it's-in-the-air dept.

angry tapir writes A security researcher has developed a tool to demonstrate how the unauthenticated data packets in the 802.11 wireless LAN protocol can be used as a covert channel to control malware on an infected computer. From the article: "The protocol relies on clients and access points exchanging informational data packets before they authenticate or associate with each other, and this traffic is not typically monitored by network security devices. Tom Neaves, a managing consultant at Trustwave, developed a proof-of-concept tool called Smuggler that leverages these packets, known as wireless management frames, to communicate with malware."

16 comments

  1. Requires Infected Computer. Nothing new. by danknight48 · · Score: 4, Informative

    Neaves used it to implement an interactive shell that allowed him to remotely execute commands on an infected computer

    So, the computer needs to be infected 1st with additional malware software.

    More info on this malware is needed, sounds like a simple custom program coded for this very task. Otherwise, nothing new here, or interesting. Hes just sending commands over wifi using a blank SSID to a computer with malware that processes the data. Glorified "hacker" VNC, nothing else.

    1. Re:Requires Infected Computer. Nothing new. by Anonymous Coward · · Score: 4, Insightful

      For folks building network monitoring infrastructure intended to track control channels, this is certainly interesting. (Also, I think the summary was clear enough that it was a control channel rather than an infection vector that nobody here should be surprised by that).

      Just because it's not interesting to you...

    2. Re:Requires Infected Computer. Nothing new. by Anonymous Coward · · Score: 1

      The POINT of the FA is not that it's new technology driving it or even "new malware" - the POINT is that wifi info frames are usually not monitored. It's a POC.

    3. Re:Requires Infected Computer. Nothing new. by Anonymous Coward · · Score: 0

      This is an interesting tool when used with other penetration items. For example, getting data physically out of a secure server room that has no Internet connection, being able to use a Wi-Fi AP that reaches on both sides can be useful, as it needs little setup to use, as opposed to a hidden laser or other means of getting data past a physical barrier.

    4. Re:Requires Infected Computer. Nothing new. by danknight48 · · Score: 1

      Just because it's not interesting to you

      I fail to see how the below is interesting:
      - Requires malware to be active on the infected pc.
      It needs software installed on Joe bloggs machine to connect to the target "blank SSID". Without this, theres no risk.

      - Only works on Wifi Networks.
      So unless your 50m from the target PC, its pointless. Let alone, you need to ensure the target PC has the malware running 1st.

      This isnt a security "risk", or even a news story. Its just some guy having some fun coding a program. A program which connects you to another wifi network that so happens to be hidden by wifi cards because its "blank". The malware is the story, nothing else

    5. Re:Requires Infected Computer. Nothing new. by skids · · Score: 1

      Neither are interframe arrival times on just about any traffic monitored, and one could easily encode a cnc to look at stat counters on the interfaces.

      So really this is in the area of "horse already left the barn."

      --
      Someone had to do it.
    6. Re:Requires Infected Computer. Nothing new. by Fjandr · · Score: 1

      It means that targeted malware can be controlled without any telltale backdoor data transmissions.

      No, not a problem in general, but not all malware infections are of the long-distance, anonymous hacker sort.

  2. Re:Garbage research and garbage headline by Anonymous Coward · · Score: 1

    Wow. Harsh on the pigeons,dude. What did pigeons ever do to you?

  3. icmp/echo prior art by Anonymous Coward · · Score: 1

    Stuffing payload into icmp messages, anyone?

    1. Re:icmp/echo prior art by Fjandr · · Score: 1

      ICMP messages are routinely filtered out by routers.

  4. Interesting Concept but Extremely Limited Potentia by zer0sig · · Score: 1

    I could see how this might be an issue in the future as wireless becomes more widely available in municipalities, but part of the reason the remote takeover malware is so popular is that it allows control from far away, bounced through proxy servers and poorly monitored networks, making it difficult to track and catch the people using it. Somehow, I don't see the threat over such a proximity-limited area being very great, even if the launcher/trojan is set up in such a way as to not require physical access.

  5. Not necessarily infected by gwolf · · Score: 3, Informative

    If you want to smuggle data out of a well-guarded network perimeter, you can use one or several covert channel techniques. You seem to send out innocent traffic, but secrets are encoded in it. So, in a sense, the risk is not having an infected computer — But a compromised employee.

    Covert channels are useful for future Snowdens. And, of course, they have been proven unavoidable.

  6. Alternative link by Anonymous Coward · · Score: 0

    For some reason I can't reach the link in the article.

    A little searching for that quoted snippet gave me this alternative link:

    http://www.computerworld.com/article/2844286/wi-fi-traffic-can-be-used-as-covert-communication-channel-for-malware.html

  7. Re:Interesting Concept but Extremely Limited Poten by Anonymous Coward · · Score: 0

    Re-read everything. It's not about new infection risk, it's about obfuscated exfiltration once infected.

  8. Duh! by Anonymous Coward · · Score: 0

    A little-used parameter can be used to move information it was not intended for! That's like the oldest trick in the book.