Making Security a Common Sense

Ever wondered what is this “Free Public WiFi” or “Free Internet Access” wireless network visible in most of the places?

These are known as Viral SSID, don’t expect it to be a free access to internet

Is it a virus, why doesn’t my antivirus detects it?
Its not a computer virus kind of thing which will be detected by Anti-virus, but still it is “Viral SSID” cause its spreads like virus

What is Viral SSID?
Like virus spread from infected computer to healthy one, a viral SSID spreads from an infected wireless-enabled computer to another. That’s why Viral SSID is the network name for ad-hoc (laptop to laptop) . See the icon next to it in the window carefully

How does this Viral SSID Spread?
The culprit here is “Wireless auto configuration utility” of Windows.

Whenever a user connects to wireless network, its SSID is added in a list of known network names, this list is called the Preferred Network List (PNL). This list includes the viral SSIDs to which a user may have connected (by greed :P) or in fact, a user need not manually connect to a viral SSID for it to be added to the list. In certain auto-configuration utilities, there are options where a user can choose to connect to any network in vicinity whether it is ad-hoc or belongs to the infrastructure type.

When the user moves to a different location and starts the computer, the wireless auto configuration utility tries to look for the SSIDs stored in the PNL. When it doesn’t find any infrastructure networks mentioned in this list, it starts looking for ad-hoc networks stored in the PNL. If it finds one, it connects to the host displaying the corresponding SSID. However, if it does not, it becomes the first node of that ad-hoc network and starts showing the viral SSID.

If an unsuspecting healthy laptop is searching for wireless networks in vicinity, it will see the advertised viral SSID in its list. If the laptop is configured to “Connect to any wireless network” as it comes in range, it will attach itself to the respective network. The connection can also be made when an unsuspecting user manually connects to an advertised viral SSID. As soon as this connection is made, the viral SSID appears in the PNL of the healthy laptop and thus gets infected.

Why tempting names such as “free internet access”?
This phenomena of viral SSID started with generic names such as “default” or “<vendor name>” where the same SSID was in infrastructure mode (access point) as well as ad-hoc mode (peer to peer).

These lucarative named viral SSIDs could have been deliberately created by malicious intent where the attackers knew that the clients would be tempted to connect to this SSID if they didn’t find any infrastructure netowrk. Its a kind of social engineering, attracting the victims.

Should someone worry?
Answer is Yes, if your machine is searching for a viral SSID, an attacker may have setup his/her machine to advertise that viral SSID and connect to your machine. The same is true if your machine is advertising it. Once the connection is made, the attacker can use various means to attack your computer and get the information he/she requires.

The mildest form of attack could be stealing information from your hard disk. The attacker can also become a man-in-the-middle routing all your Internet traffic through itself and observing/modifying all your data. Your passwords can also be stolen in this way.

So how to protect yourself?

(a) First and foremost, avoid the temptation to connect to such networks, no one is giving you free internet there
(b) Disable auto-connection or advertisement for ad-hoc networks in your wireless auto configuration utility
(c) In windows XP, ensure that you have selected the “Access point (infrastructure) network only” in the “Advanced” configuration of Wireless Network Connection Properties.
(d) If you ever do connect to such a network (even by mistake), clear it from your PNL.
(e) If you need to connect to a peer device, make sure of the identity of that peer device before connecting.