One-of-the-most-destructive-botnets-can-now-spread-to-nearby-wi-fi-networks


#1

After successfully gaining access to a new Wi-Fi network, the infected device enumerates all non-hidden devices that are connected to it. Using a second password list, the malware then tries to guess credentials for each user connected to the drive. In the event that no connected users are infected, the malware tries to guess the password for the administrator of the shared resource.

One aspect of the new Wi-Fi spreader is out of keeping with Emotet’s usual penchant for stealth of sophistication. The module uses unencrypted connections to communicate with attacker-controlled servers. That makes it easy to detect patterns in traffic that people can use to detect infections. The malware can also be detected through active monitoring of connected devices for new services being installed and watching for any processes or services running from temporary files and user profile application data folders. The Binary Defense post provides other indicators of compromise.

so this can happen on linux or just m$w based ?


#2

I believe the wlanAPI is a Windows thing. Likewise the attempt to spread via the administrator password suggests Windows. So my guess would be “Windows”.

However the concept of the spreading works just as well on Linux as on Windows - and if you use default or weak passwords, it will work just as well.

The only minor benefit on Linux might be that a normal (no root access) user may not be able to scan for other networks. For single user Linux computers the user almost certainly does have root access i.e. you administer the computer yourself. On my computer the scan at least worked anyway.

So never ever use default passwords - and don’t use weak passwords (for example it can be good to download a list of weak passwords that intruders will automatically try and check your own passwords against the list if you don’t just use a long random password generator).


#3

it’s called cracklib and is part of standard PAM (password policy enforcement) in addition to library api. Of course if app does not rely on pam it needs to use cracklib explicitly to verify for weak passwords.


#4

yes, that list keeps growing each day … unfortunately

more awareness is required for a true-random password generator that is ALSO ohw/free-sw based - the Librem key is a good example no ?


#5

And those lists are gigantic. That’s what Ctrl+F is for, but still. They’re huge.


#6

openssl rand -base64 21

or

tr -dc A-Za-z0-9 </dev/random | head -c10 ; echo

Adjust those to your requirements …

Whether that’s open hardware depends on your hardware configuration / which computer you execute it on. I believe that the Librem Key has a built-in low bandwidth hardware source of true randomness. For most people, the hardware source will come with a requirement for an element of trust - whether that’s an ARM CPU, an Intel CPU or an external device.


#7

just noticed that the gnome-front-end package responsible for connecting through ethernet(wire) is not present in the debian-bullseye … is it the same in PureOS ?

it’s like the developers are all connecting through the wifi instead of a cable …

luckily the stable still has it …


#8

I only use wifi on my home lan, games, tv streams, hackers can at worst use my netfluxhbo or Hulu or play a game on my steam.
For my work phone I use Work Lan over point to point loneof site data transfer.
More complicated to use but Lab is always safer the wireless, based on my experience.

Regards, Alex