Informational Wi-Fi Traffic As a Covert Communication Channel For Malware 16
angry tapir writes A security researcher has developed a tool to demonstrate how the unauthenticated data packets in the 802.11 wireless LAN protocol can be used as a covert channel to control malware on an infected computer. From the article: "The protocol relies on clients and access points exchanging informational data packets before they authenticate or associate with each other, and this traffic is not typically monitored by network security devices. Tom Neaves, a managing consultant at Trustwave, developed a proof-of-concept tool called Smuggler that leverages these packets, known as wireless management frames, to communicate with malware."
Requires Infected Computer. Nothing new. (Score:5, Informative)
Neaves used it to implement an interactive shell that allowed him to remotely execute commands on an infected computer
So, the computer needs to be infected 1st with additional malware software.
More info on this malware is needed, sounds like a simple custom program coded for this very task. Otherwise, nothing new here, or interesting. Hes just sending commands over wifi using a blank SSID to a computer with malware that processes the data. Glorified "hacker" VNC, nothing else.
Re:Requires Infected Computer. Nothing new. (Score:4, Insightful)
For folks building network monitoring infrastructure intended to track control channels, this is certainly interesting. (Also, I think the summary was clear enough that it was a control channel rather than an infection vector that nobody here should be surprised by that).
Just because it's not interesting to you...
Re: (Score:2)
Just because it's not interesting to you
I fail to see how the below is interesting:
- Requires malware to be active on the infected pc.
It needs software installed on Joe bloggs machine to connect to the target "blank SSID". Without this, theres no risk.
- Only works on Wifi Networks.
So unless your 50m from the target PC, its pointless. Let alone, you need to ensure the target PC has the malware running 1st.
This isnt a security "risk", or even a news story. Its just some guy having some fun coding a program. A program which connects you to another
Re: (Score:2)
It means that targeted malware can be controlled without any telltale backdoor data transmissions.
No, not a problem in general, but not all malware infections are of the long-distance, anonymous hacker sort.
Re: (Score:1)
The POINT of the FA is not that it's new technology driving it or even "new malware" - the POINT is that wifi info frames are usually not monitored. It's a POC.
Re: (Score:2)
Neither are interframe arrival times on just about any traffic monitored, and one could easily encode a cnc to look at stat counters on the interfaces.
So really this is in the area of "horse already left the barn."
Not necessarily infected (Score:4, Informative)
If you want to smuggle data out of a well-guarded network perimeter, you can use one or several covert channel techniques. You seem to send out innocent traffic, but secrets are encoded in it. So, in a sense, the risk is not having an infected computer — But a compromised employee.
Covert channels are useful for future Snowdens. And, of course, they have been proven unavoidable.
Re: (Score:1)
icmp/echo prior art (Score:1)
Stuffing payload into icmp messages, anyone?
Re: (Score:2)
ICMP messages are routinely filtered out by routers.
Interesting Concept but Extremely Limited Potentia (Score:1)