[unisog] XP silently configuring ad-hoc wifi networks

Michael Schooley michael.schooley at emory.edu
Fri Sep 23 16:40:19 GMT 2005


We had an instance about a month ago where an infected computer apparently
hijacked our legit ssid and when another computer attached to the ssid a web
page came up and asked to install a file. Fortunately the user had current
av software and it was detected as a Trojan. The security people on campus
dismissed the event and called me an alarmist. Hmmm...sounds familiar...the
generals of the tech/security community ignoring the foot soldiers what a
concept. Happy fighting!
Michael Schooley
Emory University

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of Christopher Chow
Sent: Friday, September 23, 2005 11:57 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] XP silently configuring ad-hoc wifi networks

check out the posting at SANS-ISC that may relate (it refers to AP 
networks, but who knows the activity of this yet to be identified 
pathogen -- could be also making its own adhoc networks to spread under 
the radar and avoid IDS systems


http://isc.sans.org/



about 3/4 of the way down the page under the heading "Wi-Fi Worm Rumors"


speculation as of yet. they are awaiting packet captures and binaries. 
might be a good idea to contact a handler if this seems rampant on your 
campus.





Christopher Chow
c-chow at md.northwestern.edu






Frank Sweetser wrote:
> As all of the students wander onto campus this year, we've been noticing
that a
> lot of them have common ad-hoc SSIDs configured as a preferred network.
So
> far, none of them admit to having any idea how those networks got
configured or
> where they came from.  While it's quite possible that the users told
Windows to
> connect without realizing or just without remembering, this has made me
> curious.
> 
> Does anyone know of any circumstances under which an XP system might
attempt to
> connect to a previously unconfigured ad-hoc SSID without any user
interaction?
> 




More information about the unisog mailing list