[unisog] XP silently configuring ad-hoc wifi networks

John Stauffacher stauffacher at chapman.edu
Fri Sep 23 17:45:37 GMT 2005


IIRC XP will automagically switch over to AD-HOC mode with the SSID of 
the Infrastructure mode if it falls out of reach of the AP it was 
associated with. We first had this issue when our SMCI Laptops started 
shipping with internal wireless cards, but our resnet had no wireless 
infrastructure. It was quite painfull and really had no way of shutting 
it off.

Michael Schooley wrote:

>We had an instance about a month ago where an infected computer apparently
>hijacked our legit ssid and when another computer attached to the ssid a web
>page came up and asked to install a file. Fortunately the user had current
>av software and it was detected as a Trojan. The security people on campus
>dismissed the event and called me an alarmist. Hmmm...sounds familiar...the
>generals of the tech/security community ignoring the foot soldiers what a
>concept. Happy fighting!
>Michael Schooley
>Emory University
>
>-----Original Message-----
>From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
>On Behalf Of Christopher Chow
>Sent: Friday, September 23, 2005 11:57 AM
>To: UNIversity Security Operations Group
>Subject: Re: [unisog] XP silently configuring ad-hoc wifi networks
>
>check out the posting at SANS-ISC that may relate (it refers to AP 
>networks, but who knows the activity of this yet to be identified 
>pathogen -- could be also making its own adhoc networks to spread under 
>the radar and avoid IDS systems
>
>
>http://isc.sans.org/
>
>
>
>about 3/4 of the way down the page under the heading "Wi-Fi Worm Rumors"
>
>
>speculation as of yet. they are awaiting packet captures and binaries. 
>might be a good idea to contact a handler if this seems rampant on your 
>campus.
>
>
>
>
>
>Christopher Chow
>c-chow at md.northwestern.edu
>
>
>
>
>
>
>Frank Sweetser wrote:
>  
>
>>As all of the students wander onto campus this year, we've been noticing
>>    
>>
>that a
>  
>
>>lot of them have common ad-hoc SSIDs configured as a preferred network.
>>    
>>
>So
>  
>
>>far, none of them admit to having any idea how those networks got
>>    
>>
>configured or
>  
>
>>where they came from.  While it's quite possible that the users told
>>    
>>
>Windows to
>  
>
>>connect without realizing or just without remembering, this has made me
>>curious.
>>
>>Does anyone know of any circumstances under which an XP system might
>>    
>>
>attempt to
>  
>
>>connect to a previously unconfigured ad-hoc SSID without any user
>>    
>>
>interaction?
>  
>
>
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>  
>


-- 
John Stauffacher, CISSP
Network Administrator
Chapman University
stauffacher at chapman.edu
ph: 714.628.7249
"It's amazing how much you take for granted when you already know what you are doing."
"there is no /usr/local on my C:\ drive!"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4870 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20050923/459f1e08/smime.bin


More information about the unisog mailing list