need some mac/pc guru help - Virus/Trojan related
docwalker
Registered Users Posts: 1,867 SmugMug Employee
I need some advice or direction to better info.
I have been running PC's for a long time so I have some background with them.
I recently got a mac. I am not really worried about the mac catching a virus at this point. But, I had a recent event that makes me scratch my head as to what I was seeing.
I was working on a PC at one of the sites I manage doing updates and such. I also had my macbookpro open showing the guys at the site some of its features. When I had the dashboard open I noticed a weird connection show up in the airport network finder widget. Under the wireless network name that I was connected to, popped up "Trojan Virus Downloader" as an available network.
The wireless network I was connected to is a Linksys unit with firewall built in and active. The PC is hard wired to the WAP/LAN box and has the latest Norton AV/Internet Security updates. There is no other wireless network active in the area. It is very rural so I am pretty positive of this. I checked the PC and ran a virus and security scan on it. It ran fine with no indications of problems.
I am really confused at this point. I am not worried about the mac but seeing this new connection pop up makes me worry about the security of the WAP. I am wondering if it is time to get a new WAP with newer firewall technology or do another firmware upgrade to it. I thought it was up to date. At anyrate, it should not be generating a second network connection. I did not think that was possible. I may be wrong.
Has anyone seen anything like this or know where I might seek more info.
It is a wierd problem as I saw the problem on a mac but the problem appears to be more realated to the WAP or the PC. Go figure that the PC might be the source.
The mac is set up to always ask me before making connections.
I have been running PC's for a long time so I have some background with them.
I recently got a mac. I am not really worried about the mac catching a virus at this point. But, I had a recent event that makes me scratch my head as to what I was seeing.
I was working on a PC at one of the sites I manage doing updates and such. I also had my macbookpro open showing the guys at the site some of its features. When I had the dashboard open I noticed a weird connection show up in the airport network finder widget. Under the wireless network name that I was connected to, popped up "Trojan Virus Downloader" as an available network.
The wireless network I was connected to is a Linksys unit with firewall built in and active. The PC is hard wired to the WAP/LAN box and has the latest Norton AV/Internet Security updates. There is no other wireless network active in the area. It is very rural so I am pretty positive of this. I checked the PC and ran a virus and security scan on it. It ran fine with no indications of problems.
I am really confused at this point. I am not worried about the mac but seeing this new connection pop up makes me worry about the security of the WAP. I am wondering if it is time to get a new WAP with newer firewall technology or do another firmware upgrade to it. I thought it was up to date. At anyrate, it should not be generating a second network connection. I did not think that was possible. I may be wrong.
Has anyone seen anything like this or know where I might seek more info.
It is a wierd problem as I saw the problem on a mac but the problem appears to be more realated to the WAP or the PC. Go figure that the PC might be the source.
The mac is set up to always ask me before making connections.
SmugMug Support Hero
http://help.smugmug.com
http://help.smugmug.com
0
Comments
As for the rest of your question, I'll leave that to those more expert than me.
Dgrin FAQ | Me | Workshops
The thing to do would be to run a proper WiFi scanner (such as KisMAC) on your Mac and see what it tells about the network. In particular, the MAC (not Mac, and KisMAC lists it as the BSSID address) address of the broadcasting device can tell who manufactures the device, as the first six digits are internationally registered. Once you've got the MAC address, you can look up the vendor (http://coffer.com/mac_find/) and find out what device is actually broadcasting it. Keep in mind that some routers can broadcast multiple WiFi networks, and personal computers can be configured to do so also.
As for someone spoofing the address... I really really doubt it due to the location.
I will turn on MAC address filtering in addition to the normal password security on the WAP and see what if it goes away.
http://help.smugmug.com
That does not appear to have anything to do with your WAP. "Available networks" means the WAPs owned by other people broadcasting in the neighborhood. Anyone can change the name of their WAP to anything they want. Someone simply named their network "Trojan Virus Downloader" probably as a joke. Usually, the reverse is the problem: people who name theirs with an official-sounding name to lure in victims looking for free wi-fi. You could rename yours "White House" or "KGB" and that's how it would show up on your neighbors' laptops.
The reason your WAP is not involved is that the "Available Networks" list is not going through your WAP. It's being received by your laptop antenna. Turn off your WAP and see. It's as if your local TV station decided to call themselves "WBAD" or "KSUX" - you can't use your TV to stop them from broadcasting, but you can choose not to tune in.
I got to the site and fired up kismac. It actually picked up 2 week signals in addition to the one I run. The mac has a better antennae so it was picking up signals that my WAP was not catching.
One of the networks is secure. I have a feeling that it is one of the young girls that lives nearby that has a laptop. The SSID pretty much confirms this. I think she may be using a school issued computer and probably secured by the school network admin.
The Trojan Virus Downloader was unsecure and running on channel 6.
I decided to completely redo our wap site security. I updated the firmware, reset the admin password, reset the WPA password, turned off the SSID broadcast, set the WAP channel to 11, and turned on MAC address filtering. I have added the laptops that I know and trust to the MAC list.
Hopefully all of this will help secure the site.
As for my mac laptop, I downloaded Little Snitch. I am going to get in a habit of firing up kismac occasionally to check to see if any new waps popup in my area.
http://help.smugmug.com
Only two things could cause this to appear in the list of available networks (for all intents and purposes); a virus on *your* personal machine, or somebody else broadcasting another network named "Trojan Virus Downloader". The fact that it only appeared for a few seconds is a strong indication of weak signal strength, so I'm still sticking with the theory that somebody else has a WiFi network within range. It's a great name for a network - nobody in their right mind would connect to it who hasn't read up on 802.11.
Unless the location's at least 1/2 mile away from any other buildings or roads, and 5-7 miles away from any major city centers or public buildings, I wouldn't count on being out of range of somebody else's WiFi. With the proper equipment, WiFi has some serious range. Not to mention it may have been somebody with a car-based network, like my boss and myself use. Clearwire + WAP + AC inverter = portable broadband.
Edit: I just saw your response above - what were the BSSID MAC addresses of the other WAPs?
Well, it would be her WAP that's secured. It would be hard to determine how secure the laptop behind the WAP is.
Wow, that's almost exactly how mine's set up!
Although technically, if someone can get past the WPA, all the rest is easy to smash through. Not for me, I don't know have the knowledge, but MAC addresses can be detected then spoofed, and hidden SSIDs are easily detected as you know. But I hide mine anyway. The one strong part is the WPA encryption.
The one weakness with WPA is the password itself. As long as yours is a long password that is not easily guessable or available in a dictionary, you are safe. The encryption itself is practically unbreakable on today's computers, but if a hacker can dictionary-attack an easy password like "nikon", they don't need to break the encryption.
The other was the trojan virus downloader wap itself.
The good thing is that the mac address of both sites showed up in kismac. So it is possible that I can track down who it is. There are not that many houses close by and I could possibly talk to them to find out who it is. I can even do a little war driving to find the strongest signal and narrow down the possiblities.
The reason why I am skeptical about this is that this is a very rural area, it is very hilly, and there is not that many people around here that are computer users.
http://help.smugmug.com
Actually most LAN devices (ie laptop wireless cards) can transmit the SSID and MAC info if it is allowed. I know this as both my wifes school mac can do this (turned it off as soon as I found it) and my partners computer tonight showed up when we set his MAC address on the WAP. So I am pretty sure that it is her laptop that I am seeing. It is possible that it is her WAP site that is the Trojan Virus Downloader that has been corupted. I am betting that if it is she/her parents have no clue that it is happening.
http://help.smugmug.com
KisMAC reports the BSSID (not SSID) as a MAC address; the only personally identifiable information provided by that is the brand of the networking device itself (be it WAP or WiFi card in ad-hoc mode) and a partial serial number which is not published by the manufacturer, which can be spoofed or changed on almost all equipment... Not exactly traceable
Anywho, my whole point with that suggestion was to determine the manufacturer of the device itself so you could definitively figure out who it was.
This brings up a great chance to meet the neighbors.
http://wall-art.smugmug.com/
I see what you were saying now. Sorry about that. As I was typing last night I was a little distracted. We were having the little ice storm last night and medical calls were coming in 1 after another. I was working on the computers and watching the weather sites at the same time. You are correct the SSID was the really unique part that I was worried about.
I checked the BSSID and from what I found it is one of the linksys wireless cards. I think that is correct because at one point I remember kismac actually listed linksys as the manufacturer in the more info tab. I had to restart it several times as I changed settings and tested the security.
At this point it is not a big deal. My WAP is now locked down. The other users of the wap site have been warned about the other networks. I have started adding their MAC addresses to the WAP only after I have checked to make sure they are running current AV/Security software.
This was a good exercise. I plan on checking a few other wap sites that I am involved in to see if anything has changed with them as well.
http://help.smugmug.com