[unisog] XP silently configuring ad-hoc wifi networks

Frank Bulk frnkblk at iname.com
Fri Sep 23 18:32:08 GMT 2005


On the EDUCAUSE WIRELESS-LAN list this specific issue was discussed.  You
can manually turn of ad-hoc scanning, or push out a registry key to do the
same thing.  If you have access to your students' desktops, that sounds like
the thing to do.

Frank

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org]
On Behalf Of John Stauffacher
Sent: Friday, September 23, 2005 12:46 PM
To: UNIversity Security Operations Group
Subject: Re: [unisog] XP silently configuring ad-hoc wifi networks

IIRC XP will automagically switch over to AD-HOC mode with the SSID of the
Infrastructure mode if it falls out of reach of the AP it was associated
with. We first had this issue when our SMCI Laptops started shipping with
internal wireless cards, but our resnet had no wireless infrastructure. It
was quite painfull and really had no way of shutting it off.

Michael Schooley wrote:

>We had an instance about a month ago where an infected computer 
>apparently hijacked our legit ssid and when another computer attached 
>to the ssid a web page came up and asked to install a file. Fortunately 
>the user had current av software and it was detected as a Trojan. The 
>security people on campus dismissed the event and called me an 
>alarmist. Hmmm...sounds familiar...the generals of the tech/security 
>community ignoring the foot soldiers what a concept. Happy fighting!
>Michael Schooley
>Emory University
>
>-----Original Message-----
>From: unisog-bounces at lists.sans.org 
>[mailto:unisog-bounces at lists.sans.org]
>On Behalf Of Christopher Chow
>Sent: Friday, September 23, 2005 11:57 AM
>To: UNIversity Security Operations Group
>Subject: Re: [unisog] XP silently configuring ad-hoc wifi networks
>
>check out the posting at SANS-ISC that may relate (it refers to AP 
>networks, but who knows the activity of this yet to be identified 
>pathogen -- could be also making its own adhoc networks to spread under 
>the radar and avoid IDS systems
>
>
>http://isc.sans.org/
>
>
>
>about 3/4 of the way down the page under the heading "Wi-Fi Worm Rumors"
>
>
>speculation as of yet. they are awaiting packet captures and binaries. 
>might be a good idea to contact a handler if this seems rampant on your 
>campus.
>
>
>
>
>
>Christopher Chow
>c-chow at md.northwestern.edu
>
>
>
>
>
>
>Frank Sweetser wrote:
>  
>
>>As all of the students wander onto campus this year, we've been 
>>noticing
>>    
>>
>that a
>  
>
>>lot of them have common ad-hoc SSIDs configured as a preferred network.
>>    
>>
>So
>  
>
>>far, none of them admit to having any idea how those networks got
>>    
>>
>configured or
>  
>
>>where they came from.  While it's quite possible that the users told
>>    
>>
>Windows to
>  
>
>>connect without realizing or just without remembering, this has made 
>>me curious.
>>
>>Does anyone know of any circumstances under which an XP system might
>>    
>>
>attempt to
>  
>
>>connect to a previously unconfigured ad-hoc SSID without any user
>>    
>>
>interaction?
>  
>
>
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>  
>


--
John Stauffacher, CISSP
Network Administrator
Chapman University
stauffacher at chapman.edu
ph: 714.628.7249
"It's amazing how much you take for granted when you already know what you
are doing."
"there is no /usr/local on my C:\ drive!"




More information about the unisog mailing list