Bryan R. Posted September 7, 2016 Share Posted September 7, 2016 I have a friend who has told me they are "infected" with something called Chameleon. It seems it may be this: https://blog.malwarebytes.com/threat-analysis/2014/03/chameleon-wifi-virus-spreads-like-a-cold/ I'm not a fan of these metaphors like "it spreads like the cold". I want to know how it works. They give suggestions about how to strengthen your WiFi network but routers don't sneeze. So what's going on? Is this "virus" using the router resources to brute force other networks in range? And at the same time catching all the traffic? That seems pretty crazy for a consumer router to be able to handle that much. It would likely burn itself out or at least require a reboot every once in a while. Any information anyone has would be appreciated. I didn't see anything when I searched for this on the forums which is surprising. Link to comment Share on other sites More sharing options...
goretsky Supervisor Posted September 8, 2016 Supervisor Share Posted September 8, 2016 Hello, Usually a module added to the embedded OS or even the entire firmware load reflashed to do whatever the attacker wants. Common uses include: modified DNS settings for redirecting traffic to financial institutions, webmail and other network accounts, ad injection, etc. script injection for capturing form data, ad injection, ad fraud, etc. conducting denial of service attacks as part of a botnet (e.g., DDoS) Really only limited by what the attacker decides to do, resources of the router or modem and bandwidth. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
The Evil Overlord Posted September 8, 2016 Share Posted September 8, 2016 Taken from the source material provided "Don’t broadcast your network’s name (SSID)" I don't and remember getting laughed at... fun times So this 'virus' so to speak... It's possible to defend against it with a really good password?? Link to comment Share on other sites More sharing options...
adrynalyne Posted September 8, 2016 Share Posted September 8, 2016 1 minute ago, The Evil Overlord said: Taken from the source material provided "Don’t broadcast your network’s name (SSID)" I don't and remember getting laughed at... fun times So this 'virus' so to speak... It's possible to defend against it with a really good password?? Well, hiding your ssid doesn't really do anything so... Link to comment Share on other sites More sharing options...
The Evil Overlord Posted September 8, 2016 Share Posted September 8, 2016 (edited) 2 minutes ago, adrynalyne said: Well, hiding your ssid doesn't really do anything so... I know, I learned that the hard way... (ironically, I still do it, sometimes I don't even realise I've hit the checkbox until I have...) Link to comment Share on other sites More sharing options...
+BudMan MVC Posted September 8, 2016 MVC Share Posted September 8, 2016 Has to be one of the worst written suppose to be tech article I ever wasted time reading... WTF... use mac filtering, don't broadcast your ssid.. utter nonsense.. Only actual decent advice not use wep and use a strong password no sh_t really ya think.. So what was your friend using Open or WEP? What router did he have? Had he updated the default password? Sorry but the way this worked is two fold, not only does it have to get on your wifi. It then has to have admin access to the AP/router to change the firmware. Mac filtering and not broadcasting your ssid is completely utterly pointless.. Now if you want to use mac filtering to stop your 8 year old kid from getting his hand held game on your wifi sure. Why does he know your PSK in the first place? Sure in theory your wifi router could be hit with this, and sure any other wifi it can talk to in the area could be infected as well as it propagates.. That is what a worm is meant to do.. But again it has to be able to access your wifi, it has to be able to access the method of updating the firmware. Now sure there could be exploits, etc. But if your friend caught this is was prob some script kiddy variant that uses the defaults of your common routers like linksys, dlink, etc. Here is actual paper on how fast something like this could spread, and how it could be detected, etc. http://jis.eurasipjournals.com/content/pdf/1687-417X-2013-2.pdf Link to comment Share on other sites More sharing options...
goretsky Supervisor Posted September 9, 2016 Supervisor Share Posted September 9, 2016 Hello, Here are some articles on malware that infects routers and other IoT devices from some of my co-workers: Meet Remaiten – a Linux bot on steroids targeting routers and potentially other IoT devices Dissecting Linux/Moose: a Linux Router-based Worm Hungry for Social Networks Win32/Sality newest component: a router’s primary DNS changer named Win32/RBrute Perhaps you'll find them of interest/use. Regards, Aryeh Goretsky Link to comment Share on other sites More sharing options...
Recommended Posts