Malware uses WiFi BSSID for victim identification

[mood]

Malware uses WiFi BSSID for victim identification

Malware authors are using the WiFi AP MAC address (also known as the BSSID) as a way to geo-locate infected hosts.

 

Image: Stephen Phillips

 

Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim's IP address and check it against an IP-to-geo database like MaxMind's GeoIP to get a victim's approximate geographical location.

 

While the technique isn't very accurate, it is still the most reliable method of determining a user's actual physical location based on data found on their computer.

 

However, in a blog post last month, Xavier Mertens, a security researcher with the SANS Internet Storm Center, said he discovered a new malware strain that is using a second technique on top of the first.

 

This second technique relies on grabbing the infected user's BSSID.

 

Known as a "Basic Service Set Identifier," the BSSID is basically the MAC physical address of the wireless router or access point the user is using to connect via WiFi.

 

You can see the BSSID on Windows systems by running the command:

 

netsh wlan show interfaces | find "BSSID"

 

Mertens said the malware he discovered was collecting the BSSID and then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov.

 

This database is a collection of known BSSIDs and the last geographical location they've been spotted at.

 

These types of databases are quite common these days and are usually used by mobile app operators as alternative ways to track users when they can't get access to a phone's location data directly (i.e., see WiGLE, one of the most popular services used for these types of BSSID-to-geo conversions).

 

Checking the BSSID against Mylnikov's database would allow the malware to effectively determine the physical geographical location of the WiFi access point the victim was using to access the internet, which is a far much accurate way of discovering a victim's geographical position.

 

Using both methods together allow malware operators to confirm that the initial IP-based geolocation query is correct with the second BSSID method.

Malware operators usually check for a victim location because some groups want to make victims only inside specific countries (such as state-sponsored operations) or they don't want to infect victims in their native country (in order to avoid drawing the attention of local law enforcement and avoiding prosecution).

 

However, IP-to-geo databases are known for their wildly inaccurate results, as telcos and data centers tend to acquire or rent IP address blocks on the free market. This results in some IP blocks being assigned to different organizations in other regions of the globe from their initial/actual owner.

 

Using a second method to double-check a victim's geographical location isn't widely adopted today, but the technique has clear benefits that other malware operations will surely appreciate and decide to use in the future as well.

 

 

Source: Malware uses WiFi BSSID for victim identification

[aum]

This malware uses a crafty new technique to establish the location of victims

 

A new form of malware that grabs and queries the MAC address of the wireless router in a bid to geo-locate its victim's machine more accurately have been discovered. 

 

Most malware usually just grab and check the IP address of their targets against GeoIP databases to determine their location. However the new sample, analyzed by Xavier Mertens from the SANS Internet Storm Center, performs an additional query.

 

It first extracts the Basic Service Set Identifier or BSSID of the WiFi router that a user is connected to, and then queries it against a free BSSID-to-geo database to better determine the location of the victim's computer.

 

Cat and mouse

As per Mertens' analysis, the malware first used the icanhazip.com database to get the appropriate location based on the IP address. It then submits the BSSID to a free BSSID-to-geo service maintained by one Alexander Mylnikov.

 

According to Mylnikov, his database has over 34 million BSSIDs along with their last known geographical location. He also demonstrates on his website how the information retrieved from his database can be visualized on a map.

 

As Mertens notes in his analysis, malware operators want to determine the location of their victims to ensure they don’t infect computers in their own country, and also when they want to target victims in specific countries.

 

Relying solely on IP-to-Geo databases doesn’t always yield accurate results. However, when combined with the novel approach of querying BSSIDs, it will lead to far more accurate determination of the victim’s geographical location.

 

While this combination of double-checking a victim’s location isn’t widely adopted, according to report, it might just be a matter of time.

 

Source