Monday, July 12, 2010

My wireless network got hacked. Unremovable rootkit? New botnet tactic?

Edit (July 6, 2013): It has taken me almost three (3) years to come up with a secure WiFi solution since I first wrote and published this article. It is my professional and personal opinion that, outside of running 200 ft. of Ethernet (which I actually did), only a WPA2-Enterprise AES w/ EAP+TLS setup is secure. My hope is that you come to the realization that your own WiFi network is not secure as you read my story below.

I take security VERY seriously and violations of that security even more seriously. Hacking my personal networking infrastructure is near impossible. Or so I thought.

First, some background. I run...well, I used to run a wireless network access point. Yes, it is one of those consumer-grade, wireless network setups because I'm a cheapskate. The brand doesn't matter. Here's the critical bit of information: I ran the wireless access point with WPA-PSK (TKIP) using a completely random key of about 40 characters in length and a different SSID from the default plus MAC address filtering. Standard WPA-PSK cracking tools were theoretically never going to gain access to my personal network. I also had the benefit of being surrounded by quite a few open wireless networks. I figured those networks would be picked over mine. Plus, I don't usually turn on my laptops very often - so passive traffic sniffing would make it a nightmare to gain access. Basically, the worst possible set of conditions for anyone hacking my network - psychologically undesirable, physically undesirable, hard to crack, and I monitor my network and computers like a hawk.

I hereby declare my original article on setting up a "secure" wireless network as Dead On Arrival (DOA). It has become rather painfully clear to me that WPA-PSK is completely broken - somehow. Searching Google turns up nothing other than some basic articles utilizing mostly dictionary attacks. Someone, somewhere has figured out how to hack any secured WPA-PSK wireless access point. The only protocol left is WPA2-PSK. And I doubt it too will remain secure if it hasn't already been equally broken. Consider all wireless access points to be huge vulnerabilities in your network.

Thankfully I was sitting in front of my computer when it happened. Then again, I rarely step away from my computer when it is turned on. I noticed that I lost keyboard and application focus three times over the course of two minutes. While I was editing a Powerpoint presentation. I was curious after the first time, concerned the second time, and went to fire up Task Manager after the third time. Right before I fired up Task Manager, Internet Explorer started on its own. I don't run IE these days for various reasons - mostly because Firebug exists.

At that point, I knew I had been hacked. I glanced over my active applications I had open to memorize what was active and immediately shut down the computer. My data is critical to me and therefore must remain secure and out of the hands of would-be thieves. If the computer is off, the most the enemy would get is a few megabytes. However, the person seemed more interested in dumping additional software on my computer than seeking out my data. Probably to solidify their position on the box.

I happen to keep around a few Rescue and Live CDs for just-in-case scenarios like this. I ran the Rescue disks (F-Secure and BitDefender). As of July 2010, F-Secure has the edge in terms of ease-of-use. BitDefender seems to be lacking on the networking front - it couldn't find my Ethernet cards, so I couldn't get the latest definitions.

I also have a netbook with Ubuntu on it, which I fired up right away and started doing research while the rescue CDs did their thing to find malware on the system. I tried to figure out what I might have done in the previous 24 hours to allow for this to happen. I determined that it was impossible for it to have been me unless the MySQL developer's website was somehow compromised. Then I started thinking of the absurd...and my first thought was my wireless network. I immediately logged into the router, flew to the active wireless network connection list and, lo-and-behold, not five minutes before, someone had gotten onto my wireless network coincidentally around the time my Windows computer had been violated. I foolishly forgot to take a screenshot because my knee-jerk reaction was to shut down the wireless radio. A reasonably wise decision on some level. A screenshot would definitely help the credibility of this blog post but I was in full-on panic mode at the time. I did disconnect the Ethernet cables except the one to the Ubuntu netbook and turned the wireless radio back on for a couple minutes to see if I would get any takers but eventually decided the risk wasn't worth it and shut the radio back down for good. (I also needed to go to the bathroom at that point.) It is also important to note that I'm pretty sure they only had access to my network for a few minutes. I'd probably leave too and not return if I noticed a Linux box come online shortly after I deployed a rootkit and the wireless radio mysteriously vanish shortly after that.

The F-Secure Rescue CD picked up on a backdoor rootkit and a piece of spyware and supposedly eliminated them. BitDefender picked up on my own personally developed software - VerifyMyPC - because it has both registry and file system scanning capabilities. False positive there. Again, as of July 2010 - F-Secure has the lead in building Rescue CDs with solid detection. But apparently that isn't good enough.

I spent the next couple days simply scanning the system with software I trusted - including installing AdAware, which now appears to have a real-time component. Bleh. The rootkit apparently hid itself quite well during the time AdAware was running. I eventually uninstalled it just to see if I was in the clear. It took a couple reboots but the rootkit and all that came with it returned with a vengeance. I shut down the computer again and began my plans for reinstalling Windows.

I knew I was pretty much hosed at that point. Reinstalling an OS is the ONLY way to know that you have truly gotten rid of a rootkit.

By the way, Live CDs of Linux are awesome. I highly recommend burning a copy of the Ubuntu Live CD. It works VERY well for recovering from failed Windows installations. Or environments with rootkits installed. Plus it seems to have every device driver on the planet included, which means networking and pretty much every USB thumbdrive and external hard drive will work right away - so backing up data prior to a reinstall is really easy.

Fortunately, I keep very good backups. Microsoft SyncToy saved my butt. I also eventually started keeping all my core data on a separate hard drive for the just-in-case scenario I need to reinstall Windows. Doing this helps to lessen the painful process.

On the upside, I've been meaning to install Windows 7. So this merely forced the issue of upgrading. Also, during this reinstall, I've made the decision to use as many "portable applications" as possible. I really miss one aspect of the old DOS days where each application was centrally contained in its own directory. Any application that did anything outside of the directory it was installed to was deemed to be a bad application. Windows came along and messed up my beautifully organized world of self-contained applications. With the advent of the USB thumbdrive, some good people have taken it upon themselves to recreate a world of self-contained, well-behaved applications again under Windows. By using portable applications, I have a pretty good chance of easily installing newer versions of Windows in the future.

There are a number of applications I use extensively that I hate reinstalling: Firefox, Thunderbird, Apache, PHP, MySQL, and Visual Studio. Standalone Visual Studio is a pipe-dream. But the others are definitely doable. Firefox and Thunderbird both have "portable" versions. I use both of those more than anything else these days. And the portable versions seem to operate rather well thus far.

At any rate, I'm left wondering what exactly the purpose of dropping a rootkit onto my computer was. I'm also pretty sure that my neighbors aren't intelligent enough to use the hardware and software tools required to hack a "secure" wireless network. But you never know for certain. On top of that, there are several insecure wireless networks in range of my own network. Low-hanging fruit and all that aside, someone put forth effort to gain access to my "secured" wireless network.

Given that my neighbors aren't likely to have done thins, it leaves me with two options - rogue government operation or botnet. Let's shave paranoia with Occam's Razor - if the government really wanted to access my computer, there's not much I could do to stop them up front. Which brings me to my question: Is this the next generation of botnet tactics? Growing botnets by seeking out both insecure and secure wireless networks? I'm still not sure how my completely random WPA-PSK key was obtained but, with the processing power of a botnet at one's disposal, I can conceive that it would be possible to hack such networks. Once inside, seek out Windows boxes, expand network, wash, rinse, repeat. Each new computer on the botnet means that much more processing power, thus shortening access times to keys.

This definitely has the smell of a botnet. Botnet operators are predictable creatures of habit. When they gain access to a new machine or network, they immediately deploy a rootkit on the system (check), deploy spyware/additional tools (check), then start seeing what is on the system that is of value (probably check?), and start transferring things of value (maybe 1MB at most - if that - pretty sure they never got that far). The way the rootkit came back and something started talking again to a remote system really says "botnet" to me. In a sexy, nerdy/geeky sort of way. Interestingly, none of the anti-virus and anti-malware products truly cleaned the system up. Even the Rescue CDs missed whatever was installed, which means unknown, undetectable malware. Even if I had real-time anti-virus software installed, there was a good chance it wouldn't have detected the installation of the malware.

Prior to the installation of Windows, I wiped my BIOS and reinstalled it - I keep a copy of my current system BIOS around as well just-in-case - and also wiped the CMOS settings. It depends on the rootkit, but they occasionally inject themselves into the BIOS. If anything survived all of that, I'll be impressed but slightly annoyed.

My only conclusions are thus: All consumer wireless networks are insecure and running Windows on a wireless access point is just asking for a rootkit and botnet to get installed.

In a future blog post, I will share a solution to this problem that will allow Windows users to safely operate on a wireless access point. Assuming my idea works. Until then, turn off your wireless radio and use Ethernet cables. Data transfer is significantly faster over Ethernet anyway.

6 comments:

  1. Why did you not submit that HDD to symantec or someone. Data too sensitive?

    If so why not trace the assembly yourself, then submit that rootkit? If you are telling the truth, you could have screwed over a lot of people while the rootkit stayed under the radar.

    You said there was MAC screening, so did the attacker spoof your MAC?

    ReplyDelete
  2. I didn't think about that but my data is my own. I'm not turning it over to anyone.

    Getting malware onto a Windows computer once the network has been compromised is apparently child's-play these days. I've heard that it takes only 30 seconds to compromise a Windows machine remotely. While I love Windows as a desktop OS, I and most businesses don't trust it outside of a hardened firewall. For this reason, a lot of companies put their Wi-Fi network OUTSIDE of their internal network. If you want into the internal network, you have to VPN into it. Businesses know Wi-Fi itself isn't secure. This blog post is just a warning that Wi-Fi may be a LOT less secure than anyone previously thought.

    Spoofing a MAC address is supposedly quite easy to do. The attacker guessed my completely random password of roughly 40 characters in length over WPA-PSK. Current WPA-PSK cracking tools are dictionary attack based yet my network was compromised. This means WPA-PSK has been completely cracked by someone, somewhere, and they aren't publishing the information.

    At any rate, the wireless radio is OFF on all devices. Wired connections only. I've got several hundred feet of Ethernet cable that I wasn't using, so no big deal.

    ReplyDelete
  3. thanks for your post! have you since looked into the latest wifi security options and evaluated? what do you think of wpa2 w/mac address combo security? i suppose even if you were to explore, a crack may exist that would not be published like what happened the first time this happened to you.

    ReplyDelete
    Replies
    1. I've modified this article and added a paragraph to the top. It took me almost three years to discover a solution and set me back about $350. I honestly can't recommend any WiFi setup short of WPA2-Enterprise + EAP/TLS for any device that you want to talk to other machines on the network. WPA2-PSK is fine if you isolate all network traffic so it can only travel out to the Internet. No other setup is secure. Mac filtering is very easy to spoof - the attacker merely waits for a device to get onto the network and the Mac address is readily available in the clear over the air. Hiding your SSID is something else some people do as well in the name of security, but hidden SSIDs result in devices constantly broadcasting that they want to connect even when the router isn't in range - potentially allowing an attacker to set up a rogue WiFi hotspot with the same SSID. The tools to crack and sniff WiFi networks are readily available and the users of those tools know all the tricks. The only network they can't break into is an EAP/TLS network because that requires breaking Public Key Infrastructure (PKI) - and a breakage of that magnitude would have far-reaching implications such as eliminating e-commerce (e.g. buying stuff off Amazon, paying with Google Wallet/PayPal, online banking).

      Delete
  4. also, what do you recommend for anti-virus and anti-malware security? It's perty scary considering that malware can be undetectable by most, if not all, security products on the market!

    ReplyDelete
    Replies
    1. I recommend AdBlock Plus. Malware through ads on trusted websites does happen frequently enough that it is disconcerting. Ads drastically slow down page loads on websites - most sites load within a second or two for me with AdBlock Plus installed.

      I also recommend only visiting trustworthy websites, not opening ANY attachments to e-mails, not letting unknown hardware and people onto the network, and running obscure software in non-standard configurations (e.g. I run Portable Thunderbird instead of Outlook). If I have to open an e-mail attachment and it could be infected with something, I will save it to a temporary directory and then run it through virustotal.com, which gives me a measured level of confidence in the attachment before I open it. How I operate is 50% education and 50% total distrust of pretty much everything out there. Too many bad guys and uneducated folks, not enough good guys.

      I don't run anti-malware software beyond that which comes with Windows (Microsoft Security Essentials). Antivirus/anti-malware software slows down computer hardware to a crawl and since any given piece of anti-malware software only catches 75% to 80% of viruses/malware out there, I don't consider the very significant performance loss to be worth the very rare infestation. In the case of this article, the vector through which my computer was infected was merely a side-effect of the network being accessed remotely over WiFi. If I was running anti-malware software, my computer would still have been infected anyway. While I know what I'm doing and have tools like VMWare Workstation at my disposal where I can run questionable software in a throwaway VM box in total isolation, I can't recommend my approach to the average user such as yourself. Even using the free version of a product like AVG is better than nothing. If you want to run free of painfully slow anti-malware products, then educate yourself on how malware out there works so you can spot it a mile away and avoid it therefore only installing the minimal software you need. If necessary, create an isolated network where you can infect a test computer with various malware samples floating around out there to become familiar with what happens (aka a honeypot) - but that is playing with fire and there is a significant temptation there to start writing your own malware.

      Delete