Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Wireless Networking

Informational Wi-Fi Traffic As a Covert Communication Channel For Malware 16

angry tapir writes A security researcher has developed a tool to demonstrate how the unauthenticated data packets in the 802.11 wireless LAN protocol can be used as a covert channel to control malware on an infected computer. From the article: "The protocol relies on clients and access points exchanging informational data packets before they authenticate or associate with each other, and this traffic is not typically monitored by network security devices. Tom Neaves, a managing consultant at Trustwave, developed a proof-of-concept tool called Smuggler that leverages these packets, known as wireless management frames, to communicate with malware."
This discussion has been archived. No new comments can be posted.

Informational Wi-Fi Traffic As a Covert Communication Channel For Malware

Comments Filter:
  • by Dan Askme ( 2895283 ) on Friday November 07, 2014 @08:35AM (#48333161) Homepage

    Neaves used it to implement an interactive shell that allowed him to remotely execute commands on an infected computer

    So, the computer needs to be infected 1st with additional malware software.

    More info on this malware is needed, sounds like a simple custom program coded for this very task. Otherwise, nothing new here, or interesting. Hes just sending commands over wifi using a blank SSID to a computer with malware that processes the data. Glorified "hacker" VNC, nothing else.

    • by Anonymous Coward on Friday November 07, 2014 @08:44AM (#48333225)

      For folks building network monitoring infrastructure intended to track control channels, this is certainly interesting. (Also, I think the summary was clear enough that it was a control channel rather than an infection vector that nobody here should be surprised by that).

      Just because it's not interesting to you...

      • Just because it's not interesting to you

        I fail to see how the below is interesting:
        - Requires malware to be active on the infected pc.
        It needs software installed on Joe bloggs machine to connect to the target "blank SSID". Without this, theres no risk.

        - Only works on Wifi Networks.
        So unless your 50m from the target PC, its pointless. Let alone, you need to ensure the target PC has the malware running 1st.

        This isnt a security "risk", or even a news story. Its just some guy having some fun coding a program. A program which connects you to another

        • by Fjandr ( 66656 )

          It means that targeted malware can be controlled without any telltale backdoor data transmissions.

          No, not a problem in general, but not all malware infections are of the long-distance, anonymous hacker sort.

    • by Anonymous Coward

      The POINT of the FA is not that it's new technology driving it or even "new malware" - the POINT is that wifi info frames are usually not monitored. It's a POC.

      • by skids ( 119237 )

        Neither are interframe arrival times on just about any traffic monitored, and one could easily encode a cnc to look at stat counters on the interfaces.

        So really this is in the area of "horse already left the barn."

    • by gwolf ( 26339 ) <gwolf@NosPAm.gwolf.org> on Friday November 07, 2014 @11:43AM (#48334451) Homepage

      If you want to smuggle data out of a well-guarded network perimeter, you can use one or several covert channel techniques. You seem to send out innocent traffic, but secrets are encoded in it. So, in a sense, the risk is not having an infected computer — But a compromised employee.

      Covert channels are useful for future Snowdens. And, of course, they have been proven unavoidable.

  • by Anonymous Coward

    Stuffing payload into icmp messages, anyone?

  • I could see how this might be an issue in the future as wireless becomes more widely available in municipalities, but part of the reason the remote takeover malware is so popular is that it allows control from far away, bounced through proxy servers and poorly monitored networks, making it difficult to track and catch the people using it. Somehow, I don't see the threat over such a proximity-limited area being very great, even if the launcher/trojan is set up in such a way as to not require physical access.

In the long run, every program becomes rococco, and then rubble. -- Alan Perlis

Working...