Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Botnet Network Security Wireless Networking

One of the Most Destructive Botnets Can Now Spread To Nearby Wi-Fi Networks (arstechnica.com) 28

The sophistication of the Emotet malware's code base and its regularly evolving methods for tricking targets into clicking on malicious links has allowed it to spread widely. "Now, Emotet is adopting yet another way to spread: using already compromised devices to infect devices connected to nearby Wi-Fi networks," reports Ars Technica. From the report: Last month, Emotet operators were caught using an updated version that uses infected devices to enumerate all nearby Wi-Fi networks. It uses a programming interface called wlanAPI to profile the SSID, signal strength, and use of WPA or other encryption methods for password-protecting access. Then, the malware uses one of two password lists to guess commonly used default username and password combinations. After successfully gaining access to a new Wi-Fi network, the infected device enumerates all non-hidden devices that are connected to it. Using a second password list, the malware then tries to guess credentials for each user connected to the drive. In the event that no connected users are infected, the malware tries to guess the password for the administrator of the shared resource.

"With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet's capabilities," researchers from security firm Binary Defense wrote in a recently published post. "Previously thought to only spread through malspam and infected networks, Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords." The Binary Defense post said the new Wi-Fi spreader has a timestamp of April 2018 and was first submitted to the VirusTotal malware search engine a month later. While the module was created almost two years ago, Binary Defense didn't observe it being used in the wild until last month.

This discussion has been archived. No new comments can be posted.

One of the Most Destructive Botnets Can Now Spread To Nearby Wi-Fi Networks

Comments Filter:
  • by bobstreo ( 1320787 ) on Wednesday February 12, 2020 @06:01AM (#59719010)

    If you aren't forced to create a better password than 12345.

    Most devices get stuck with an admin named account, and you have to hope there aren't telnet subsystems hard-coded into your device. Or hidden accounts with known user-ids and passwords you can't remove.

    "Then, the malware uses one of two password lists to guess commonly used default username and password combinations."

    • What about 123456?

      • Way too easy to guess. A security professional would use a complex password that meets all the requirements of most advanced protection systems which force characters from multiple character subsets (Caps, loser case, numbers, specials characters etc.

        Being such a security professional is why I use P@ssw0rd123!
        • The XKCD comic explained this very well years ago.

          https://xkcd.com/936/ [xkcd.com]

          • Too bad that every secured site out there prevents you from using this kind of password. You need to have some caps, some numbers, and perhaps a symbol. That puts you back into the world of hard-to-remember passwords. So you use a short, daily guessable one instead.

            • We are our own worst enemy.

            • One service we use at work seems to enforce this VERY badly. They have eight password complexity requirements, seven of which I consider unreasonable.

              The kicker?

              "Reeeally-secure-password, like-no-kidding" (which, according to howsecureismypassword.net, would take until the heat death of the universe to crack) breaks five of the rules and is considered insecure and disallowed. "abcde1!" does not break any rules, and is thus allowed as a password.
      • Mine goes to 11...
    • Most people are not capable of creating secure passwords. A dictionary attack with unlimited time is also likely to have pretty good success rates.

      Targeted attacks are much harder to implement with something like this, but spreading effectively via a typically less-hardened path is likely to work quite well.

      Even most of the unique “passwords” for ISP router/APs are calculated based on MAC address, IIRC. I could easily expect a 2% or better success rate without really pushing the limits. Add i

      • IBM and DEC, 40 years ago had logarithmic incorrect password delays, so you can't run a password guessing loop. And back then we wrote admin passwords down(never a default one) and put it in a real safe, or if annoying a post-it note somewhere handy. Note that you lost your job if you screwed up. Always said WiFi and Bluetooth were holes waiting for exploitation as well as any loose shares. As Gomer Pile would say 'Surprise Surprise'.
        • Unfortunately that doesn’t work especially well at the network level. You have dumb devices that are supposed to “just work”, and blocking them for an exponential period because someone didn’t fix a problem for a day or two gets ineffective quickly. You also have the very easy option of changing mac addresses and starting over.

      • by Zocalo ( 252965 ) on Wednesday February 12, 2020 @08:48AM (#59719284) Homepage
        There was an interview with someone who did password recovery and pen testing for a living that I read a few years ago that was quite enlightening. Basically, for computer systems, they would tailor dictionary attacks to the target to account for local language, jargon etc., and ideally using a previously acquired password file off-line to get around retry timeouts, starting with the basic alphanumerics, then adding in additional complexity until they were into diminishing returns. Quite often they only needed a few successes in order to successfully exploit a local priviledge escalation vulnerability to get root/admin. Basic "Correct Horse Battery Staple" style passwords were also seen as easy pickings because users are lazy; taking the 2000-5000 most popular words of 8 characters or less in the main local language and just trying every combination of 3-5 words would almost always get hits on a reasonably sized password file leak.

        Routers/APs tend to be all or nothing though; it's "admin or bust" as there are not generally multiple user accounts that you can use to do a privilege escalation attack on to get root. MACs obviously don't travel beyond their local subnet in normal operation (but may still be acquired; some protocols can encapsulate them in the payload, and if you're able to sniff the AP traffic then you can obviously just grab them from the air), but sign-on banners are typically unique to a given vendor, or even hardware model, and if you know the vendor/model then you've got half the MAC because you know their OID (or OIDs if a larger vendor), and quite likely have reversed engineered any MAC-to-default-password scheme. Congrats your search space just went down by a factor of 2^24, and because most vendors are just as lazy as their users that's also pretty much game over given enough time to retry.

        As a data point on that; for grins last Christmas I setup a honey pot - an "SSH server" on a non-standard and officially unassigned port that returned an imitation of genuine router signon banner on connect, but would refuse all login attempts - to get a feel for typical botnet size and operation. I got a port scan hit after a couple of days (on Dec 24th) and started seeing login attempts using common username/password pairs from multiple IPs almost immediately, so I shutdown the server and starting dropping the traffic to study the "afterglow". As of today (Feb 12th) the same botnet (consisting of at least 6,000 hosts, so far) is still attempting to connect to the dead port at the rate of about 200 connection attempts a day (the same rate I was seeing in December), and doesn't appear to be tailing off at all. Unless your router/AP's login timeout code takes into account multiple IPs working in concert, bad actors are going to get a *lot* of attempts in, are quite prepared to spend a lot of time using somebody else's resources to try and get it if they think they have a live one, and (apparently) don't check too often to see whether this fish is actually still on the hook.

        So - no surprise to anyone that keeps up with best practice - but complex passwords absolutely need to gain entropy by virtue of being *truly* random; sticking a few "special characters" in there and/or transposing letters for numbers simply isn't going to do it any more if you get confronted with an off-line dictionary attack. If you really must do a memorable password, then mix up some languages or put some jargon in there that isn't likely to be in a "most common words" dictionary file *or* related to the industry (assume the attacker knows who they are hitting), and (duh!) limit access to your router/AP to the smallest subset of IPs possible on your internal LAN only, or better yet, restrict it to the local console port if that's an option.
      • Most people are not capable of creating secure passwords.

        Most people are stupid and lazy.

        https://strongpasswordgenerato... [strongpass...erator.com]

        It's not hard to create a strong password. It's hard to get people to understand the value of it. And that's obvious when you look at the Top 10 Shitty Password lists that haven't changed in decades regardless of increased risk.

        You can't fix Stupid. You can't even patch it.

    • by syn3rg ( 530741 )
      That's the kinda thing an idiot would have on his luggage.
    • by gweihir ( 88907 )

      In fact, this whole "most destructive" thing uses known vulnerabilities and user stupidity.

  • So where is the list of Userid and Password this thing uses? Too complicated for the scaremongers to decode I guess.

  • Find out who did this and grind them into the Earth
  • It looks like we're approaching a time when malware starts to approximate an AI script kiddie. If somebody codes for it a neural network and allows it to spread, Darwinian forces might make it progressively better at camouflage, better at acting non-suspiciously, better at running scams, etc. I am picturing a world in which the AI makes its own money (extortion, stealing from your bank account, coin mining, etc.) and buys cloud computing time in order to improve itself. Successful mutations could be recorde
  • Ask yourselves why when Windows malware makes the news it's hard to find WINDOWS mentioned unless/until technical explanations of how it works are shown.
    WINDOWS should be in the first paragraph and the title.
    The Register do that but they're British so unbeholden to Redmond..
    Non-techies (msmashdot is not news for nerds) should be informed so they don't assume Windows malware infects superior operating systems. That requires mentioning Window.

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...