[unisog] XP silently configuring ad-hoc wifi networks

Jeremy Pollack Jeremy.Pollack at business.uconn.edu
Tue Sep 27 18:55:54 GMT 2005


Has anyone gotten any more information or found out any more details
about what is happening here? We are experiencing the problem as
described below by John, I think. Laptops getting configured to use
ad-hoc and also broadcasting Ad-Hoc access points with the same name as
our public access point. On top of it, when a student reboots their
laptop, it takes 1-3 minutes for the desktop to appear as their machine
(I assume) looks for an IP from the Ad-Hoc access point.

The only workaround I have found is to disable automatically connecting
to Ad-Hoc networks automatically, under the Wireless Networks - Advanced
settings. However, this only fixes the slow login problem. The problem
of the Ad-Hoc points still exists.

We have a laptop program here (School of Business @ UConn) so all 1200
or so of our students actually have the same machine, and 90% of them
are all using the same laptop. Since we deployed the same model machine
this year as last, we are using basically the same image, with updated
apps and patches. The wireless driver was, in fact, not updated. We
never experienced this issue in the past, though and there were no other
configuration changes in our building. I'm wondering if a MS patch may
have changed this behaviour somehow?

It is definitely quite painful and this thread is about all of the
information I have found so far.

> -----Original Message-----
> From: unisog-bounces at lists.sans.org 
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of John Stauffacher
> Sent: Friday, September 23, 2005 1:46 PM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] XP silently configuring ad-hoc wifi networks
> 
> IIRC XP will automagically switch over to AD-HOC mode with 
> the SSID of the Infrastructure mode if it falls out of reach 
> of the AP it was associated with. We first had this issue 
> when our SMCI Laptops started shipping with internal wireless 
> cards, but our resnet had no wireless infrastructure. It was 
> quite painfull and really had no way of shutting it off.
> 
> Michael Schooley wrote:
> 
> >We had an instance about a month ago where an infected computer 
> >apparently hijacked our legit ssid and when another computer 
> attached 
> >to the ssid a web page came up and asked to install a file. 
> Fortunately 
> >the user had current av software and it was detected as a 
> Trojan. The 
> >security people on campus dismissed the event and called me an 
> >alarmist. Hmmm...sounds familiar...the generals of the tech/security 
> >community ignoring the foot soldiers what a concept. Happy fighting!
> >Michael Schooley
> >Emory University
> >
> >-----Original Message-----
> >From: unisog-bounces at lists.sans.org 
> >[mailto:unisog-bounces at lists.sans.org]
> >On Behalf Of Christopher Chow
> >Sent: Friday, September 23, 2005 11:57 AM
> >To: UNIversity Security Operations Group
> >Subject: Re: [unisog] XP silently configuring ad-hoc wifi networks
> >
> >check out the posting at SANS-ISC that may relate (it refers to AP 
> >networks, but who knows the activity of this yet to be identified 
> >pathogen -- could be also making its own adhoc networks to 
> spread under 
> >the radar and avoid IDS systems
> >
> >
> >http://isc.sans.org/
> >
> >
> >
> >about 3/4 of the way down the page under the heading "Wi-Fi 
> Worm Rumors"
> >
> >
> >speculation as of yet. they are awaiting packet captures and 
> binaries. 
> >might be a good idea to contact a handler if this seems 
> rampant on your 
> >campus.
> >
> >
> >
> >
> >
> >Christopher Chow
> >c-chow at md.northwestern.edu
> >
> >
> >
> >
> >
> >
> >Frank Sweetser wrote:
> >  
> >
> >>As all of the students wander onto campus this year, we've been 
> >>noticing
> >>    
> >>
> >that a
> >  
> >
> >>lot of them have common ad-hoc SSIDs configured as a 
> preferred network.
> >>    
> >>
> >So
> >  
> >
> >>far, none of them admit to having any idea how those networks got
> >>    
> >>
> >configured or
> >  
> >
> >>where they came from.  While it's quite possible that the users told
> >>    
> >>
> >Windows to
> >  
> >
> >>connect without realizing or just without remembering, this 
> has made 
> >>me curious.
> >>
> >>Does anyone know of any circumstances under which an XP system might
> >>    
> >>
> >attempt to
> >  
> >
> >>connect to a previously unconfigured ad-hoc SSID without any user
> >>    
> >>
> >interaction?
> >  
> >
> >
> >
> >_______________________________________________
> >unisog mailing list
> >unisog at lists.sans.org
> >http://www.dshield.org/mailman/listinfo/unisog
> >  
> >
> 
> 
> --
> John Stauffacher, CISSP
> Network Administrator
> Chapman University
> stauffacher at chapman.edu
> ph: 714.628.7249
> "It's amazing how much you take for granted when you already 
> know what you are doing."
> "there is no /usr/local on my C:\ drive!"
> 
> 



More information about the unisog mailing list