A yet-unseen malware variant dubbed “Typhoid adware” could allow cyberattackers to prey on portable computer users tethered to unsecured WiFi connections at Internet cafes and other public places.
This potential threat is lurking wherever consumers gather to use free Internet access points. The hidden new threat has none of the tell-tale symptoms of traditional infections, and it functions as a twist on the notorious “Man-in-the-middle” vulnerability, according to a team of computer science researchers at Canada’s University of Calgary.
These researchers named this potential threat after Typhoid Mary. The malware resembles the typhoid fever carrier who spread the disease to dozens of people in the New York area in the early 1900s.
Adware is software code that users inadvertently allow into their computers when they download infected files like fancy toolbars or free screen savers or when they visit infected Web sites. Typhoid adware needs a wireless Internet cafe or other areas where users share a non-encrypted wireless connection.
“We’ve not yet seen it in the wild. But it is something we are expecting to see. The reason is so many people bring their computers to centralized wireless locations. The bad guys are interested in making money, so centralized locations are a great opportunity for them,” John Aycock, associate professor in the computer science department at the University of Calgary, told TechNewsWorld.
Speculative Origins
His research team devised the concept behind the Typhoid adware attack as part of a proactive computer security study, said Aycock. See the paper on Typhoid adware here.
“We try to figure out what the bad guys are going to do before we see it in the wild,” he said. It is a proof-of-concept malware that has not yet been found in the wild. But the potential for use is very likely.
Aycock coauthored a paper on the so-called Typhoid adware threat with assistant professor Mea Wang and students Daniel Medeiros Nunes de Castro and Eric Lin. The paper demonstrates how Typhoid adware works as well as presents solutions on how to defend against such attacks. In May, de Castro presented it at the EICAR conference in Paris, a conference devoted to IT security.
What It Does
Typhoid adware tricks nearby computers into accepting an unknown host computer nearby as a legitimate WiFi connection. The host computer then delivers annoying ads to the phony network of victim laptops.
Typically, adware authors install their software on as many machines as possible. But Typhoid adware comes from another person’s computer and convinces other laptops to communicate with it and not the legitimate access point, Aycock explained.
Then the Typhoid adware automatically inserts advertisements in videos and Web pages on the other computers. Meanwhile, the owner of the infected host computer does not see any of the ads and thus does not know the computer is infected.
Why worry about ads sent from one laptop to another? Ads are annoying, but they can also advertise rogue antivirus software that is harmful to the user’s computer. That makes ads the tip of the iceberg, Aycock warned.
Not So Fast
Not all security researchers are convinced that Aycock’s fears about an imminent Typhoid adware outbreak are justified.
“About 90 percent of viruses, worms, and malware were proof of concept and never made it into the wild,” Tracy Hulver, executive vice president for products and marketing at netForensics, told TechNewsWorld.
While not a new concept, the premise behind the Typhoid adware attack gives us a good reason not to use public WiFi connections, noted Catalin Cosoi, lead online researcher for Bit Defender.
“There probably will be some attempt by hackers to use Typhoid. But as it is now, I don’t see any big threats from it,” Cosoi told TechNewsWorld.
Linux Users Beware
If attackers took advantage of the Typhoid adware’s potential, they could blur the line between Linux security and Windows vulnerability. The tools used to develop the proof of concept are part of an open-source Linux package called “Dsniff,” according to Chet Wisniewski, senior security advisor at Sophos.
“The concept is interesting. If it were developed a bit more, it could pose a nasty threat,” Wisniewski told TechNewsWorld.
The Dsniff package, written by Dug Song, is a packet sniffer and set of traffic analysis tools. The tool decodes passwords sent in clear text across a switched or unswitched Ethernet network.
Similar tools are not available to make a Windows host, so the attacker would have to be a Linux user. But Windows boxes nearby would be at risk of receiving ads, said Wisniewski, an avid Linux user.
Tricky Typhoid
The Typhoid adware threat, if it becomes one, presents a different situation for defenders. It also gives attackers a different business model.
“Protecting against Typhoid is a bit tricky because of the way it works. Normally if you have an adware infection, you would see a bunch of ads popping up, and you would know something is there. Typhoid adware is different and a lot sneakier,” said Aycock.
Instead of showing ads on the computer where it is installed, Typhoid shows ads on computers that are around it by hijacking their Internet connections, he explained. That makes it challenging to convince computer users they have a problem.
If you are seeing the ads, you don’t have anything to detect. If you are not seeing any ads, you might find it hard to believe that you have something on your computer.
Typhoid Defenses
Typhoid adware is designed for public places where people bring their laptops, noted Aycock. It is far more covert and displays advertisements on computers that do not have the adware installed, not the ones that do.
“No good defensive solutions have been proposed. Each suggested solution has a downside,” warned Cosoi.
Laziness could work against Typhoid — having to sit near other computer users to push the infection may limit the need for defenses, he suggested. Other kinds of attacks are available that provide far greater results a lot easier.
Proactive Fighting
Aycock and his fellow researchers have devised a few defenses against typhoid adware. One way is to protect the content of videos to ensure that what users see comes from the original source. Another way is to make laptops recognize that they are at an Internet cafe so they will be more suspicious of contact from other computers.
A proactive approach to security involves having the laptop look for signs of a hijack in a public location, according to Aycock. An analogy is that when you are home, you know you are safe. If you go outside, you know you have to be more cautious. But computers don’t have that same sense.
Another approach is to target computers that might have something like Typhoid on them. That goes back to protections like traditional antivirus software, he noted.
Switchable Options
So far, Aycock’s researchers succeeded in implementing a type of software switch. It warns a laptop with an active WiFi connection to be less trusting of what other computers connected to its Internet connection are telling it.
“This is something that we’ve been able to do in the lab. This isn’t something for regular users at this point,” said Aycock.
The defensive switch has to be incorporated into regular antivirus software protections. It could also be integrated into the laptop’s firewall software, he said.
Much of the process for getting a Typhoid defensive into play is a wait-and-see process. It starts with getting the vendors interested.
“That’s one reason we did the paper and presented it at the conference. The audience was a mix of academia and industry. So it is a good venue to advertise this work to those people,” said Aycock.
I’ve been fighting this thing for 5 weeks straight. It has wrecked my home systems and I’m concerned that it’s subversive nature and quick mutation keep it easily unnoticed. I will warn you, do not attack this thing with your normal array of standard AV, it will only perceive you as a threat. At that point the AI is difficult enough to overcome, not to mention the net remote access it has setup in your Dbus and IO modules. This thing is nasty, embeds itself in L1 cache on every duo core i have, associates bluetooth, wireless, tele, IM, anything you have instaled and whatever it brings in. Fake key gens, privilege modification, this thing actually can power a wifi card (intel 5300 a/b/g) from CMOS, you can pull the battery, shutdown, whatever but until you physically remove the transmitters and medium you can expect problems. The thing is so sticky, I’m not convinced it doesn’t modulate and transmit via AC infrastructure. I know, it sounds crazy, believe me my credibility has suffered in trying to explain this one to people. If you know what’s good for you, wait for a pro fix, otherwise you will be learning 16-bit DOS embed hacks, Unix/Linux/Windows/Mac file systems morphs, all OS permission hacks, string translator pipes 30+ folders deep, and invisible NTVDMs. Good luck if you meet this monster, you will need it.