I think some of my customers were in a recent Progressive commercial:
http://lifelanes.progressive.com/park-ranger-mark/
*From:* That One Guy /sarcasm <mailto:[email protected]>
*Sent:* Monday, April 11, 2016 4:21 PM
*To:* [email protected] <mailto:[email protected]>
*Subject:* Re: [AFMUG] interesting malware, and checking an air router
I feel bad for the poor Rise Broadband guy he talks to, hes convinced
their ESSIDs have infected him
On Sun, Apr 10, 2016 at 9:52 PM, That One Guy /sarcasm
<[email protected] <mailto:[email protected]>> wrote:
stupid malware, i would have been a real good bad guy, i need to
learn to code so i can hacksnphreaks stuff
On Sun, Apr 10, 2016 at 9:46 PM, Josh Reynolds
<[email protected] <mailto:[email protected]>> wrote:
Correct
On Apr 10, 2016 9:43 PM, "That One Guy /sarcasm"
<[email protected] <mailto:[email protected]>>
wrote:
no real way to do that remotely is there with no one
holding the reset and a layer 2 connection?
On Sun, Apr 10, 2016 at 9:39 PM, Josh Reynolds
<[email protected] <mailto:[email protected]>> wrote:
No. TFTP flash recreates the flash filesystem. HTTP
upgrade does not.
On Apr 10, 2016 9:38 PM, "That One Guy /sarcasm"
<[email protected]
<mailto:[email protected]>> wrote:
if it happens to be crumped, and i http it a
firmware, it should still overwrite the funtime
hatred shouldnt it?
On Sun, Apr 10, 2016 at 9:34 PM, Josh Reynolds
<[email protected]
<mailto:[email protected]>> wrote:
Nope. Just TFTP flash it to the newest stable
firmware.
On Apr 10, 2016 9:02 PM, "That One Guy
/sarcasm" <[email protected]
<mailto:[email protected]>> wrote:
Is there somethin ng to run against this
air router to check it?
On Apr 10, 2016 7:53 PM, "Josh Reynolds"
<[email protected]
<mailto:[email protected]>> wrote:
http://m.theregister.co.uk/2014/07/29/antivirus_blood_splattered_as_biz_warned_audit_or_die/
http://arstechnica.com/security/2015/09/security-wares-like-kaspersky-av-can-make-you-more-vulnerable-to-attacks/
https://books.google.com/books?id=wqV1CgAAQBAJ&pg=PA183&lpg=PA183&dq=antivirus+attack+surface&source=bl&ots=HF7hnyj7sN&sig=Ski6OAQaLdD4MeIDGJRfuNoaZiE&hl=en&sa=X&ved=0ahUKEwjsgP7nroXMAhUjk4MKHb19DQ0Q6AEIKzAE#v=onepage&q=antivirus%20attack%20surface&f=false
On Apr 10, 2016 6:21 PM, "That One Guy
/sarcasm" <[email protected]
<mailto:[email protected]>> wrote:
Josh,
Can you expand that?
The following is the last
communication, note this started
as a slowness complaint.
Hi. I had a couple questions
regarding the wireless router that
you provide with my service. Since
I don't have access to the device,
could you turn off broadcasting of
the SSID please? The reason for
this request due to a very
damaging virus/malware that hit my
home network extremely hard.gained
access to my networks through the
wireless connection and my phone,
which then took out every thing
else connected. The Wi-Fi that
caused the issue ended up as
"OPEN" and not longer secure.
Since there is such massive
distances between any of us our
her I would only see that specific
SSID on days when everthing
allowed to to travel just a litter
bit further. And when I did see it
over the last 1.5 years, but it
was always "Secured". Anyway...
the story is much longer but A.
can you hide the SSID and possibly
change it to something else? This
way I know it has a little extra
protection. But please let me know
the the SSID. Do you by chance
know of an SSID near me of:
ISPSTUFF360? It's Mac address is
00:60:ld:f1:91:be. It came back as
a Lucent Technologies device.
Also.. I was not simply taken out
of service by 1 "Open" device...I
was taken out by 2 ! The second
one that is also broadcasting as
"Open is similar in name. . It\s
SSID is ISPSTUFF1000. I have it's
mac address somewhere in the
middle of all this mess, but its
the same I believe. It also
resolved by MAC address to a
Lucent Technologies Devic. From
what discovered from once I had a
change to finish up replacing the
hard drive in my laptop, ending up
with corruption in the bios as
well, replacing a drive in my
Workstations as it would not ever
respond to restoration software.
And so much figging time to
install everything. I had to be
safe and reset my phone, my tablet
pc and and my FLAC file of over
119gb of my entire music
collection. Not to. I still dont
feel comfortable given how
destructive it was. I immediately
had to spend our upon hour callng
banks, and Website, and anyting
that I accessed online to change
my logins and passwords.. It even
appears to have left it's mark on
the Direct TV DVR as well. So I
have already spent more $ than I
had to spare but I most definately
dont trust any of the devices
anylonger. Especially since the 2
devices are still broadcasting as
I send this. Kevin
On Sun, Apr 10, 2016 at 3:59 PM,
Josh Reynolds
<[email protected]
<mailto:[email protected]>> wrote:
FYI antimalware/antivirus and
adblock are the newest attack
vectors. :)
Pretty easy way to get
persistent malware on machines
now.
On Apr 10, 2016 3:57 PM, "That
One Guy /sarcasm"
<[email protected]
<mailto:[email protected]>>
wrote:
Im a worst case scenario
artist. My concern is the
customer will talk to our
customer service, theyll
tell him we will replace
his router. He will bring
it in, get a replacement.
Its been "infected" and
will hit our Achilles
heel. Customer service
will drop it in the
returns bin. It will get
taken abk and connected to
the machine thats used to
dump the file, it will
"infect" that machine,
that machine will infect
the Customer service
network. A tech will pick
up the router and install
it at another POP.
infecting that POP. he
will also bring his laptop
back and connect it to my
network. My machine has no
real antimalware and he
will infect it across that
network. My machine has
all the keys to the castle.
the reality is they guy
probably had slow wifi in
his detached garage 1500
feet from his house, and
his buddy mike said he
must be infected with some
really nasty virus because
his portable version of
AVG from 2010 cant find it
so it must be direct from
anonymous.
On Sun, Apr 10, 2016 at
3:37 PM, Josh Reynolds
<[email protected]
<mailto:[email protected]>>
wrote:
Cross platform malware
is a Thing now, and
has been for several
years. It's
fortunately not very
prevalent yet.
On Apr 10, 2016 3:36
PM, "Bill Prince"
<[email protected]
<mailto:[email protected]>>
wrote:
I don't believe it.
We have a friend
that comes to some
outrageous
conclusions with
scant information,
and practically
zero technical
knowledge. Yet
when he explains
something, he
sounds perfectly
reasonable with
impeccable logic.
It just never is.
bp
<part15sbs{at}gmail{dot}com>
On 4/10/2016 1:29
PM, That One Guy
/sarcasm wrote:
So we have this
customer who
experienced a
ferocious
malware, still
waiting on more
details from the
customer, its
very interesting
because it
crossed multiple
platforms.
multiple cell
phones, a
satellite DVR, a
PC etc. Im not
sure how he
verified
infection, but he
did have to
factory his
phones, his PC he
said required a
hard drive
replacement (not
sure what or who
decided this) not
sure how the
satellite DVR was
mitigated. He
thinks it came
from a Rise
Broadband
(formerly Prairie
Inet ESSID (I
doubt this, the
ESSIDs prairie
inet ran were
open, with other
security for the
access)
With it being as
cross platform as
it was im
wondering how i
would check the
air router we
provide to see if
it got hit as
well. All we do
is a dump file on
the current
firmware that
sets a password,
ensures 443 is
open, sets a DMZ
to an IP out of
the DHCP scope,
and we manually
set the ESSID
with WPA2, the
key being the MAC
on the label ( it
think this is the
WLAN) (we disable
snmp, telnet, but
leave ssh open),
we also turn off
CDP and the ubnt
discovery
Im hoping he has
some good info on
what this
actually was, and
its not just a
case of his buddy
jim telling him
all this.
Anybody know of
something in the
wild capable of
hitting all these
devices across a
network
(wired/wireless)
Im asking about
the airrrouter in
particular,
considering if it
were impacted,
that could be a
mess at the POP
since most
customer NAT are
in the same
subnet, with
duplicate configs
--
If you only see
yourself as part
of the team but
you don't see
your team as part
of yourself you
have already
failed as part of
the team.
--
If you only see yourself
as part of the team but
you don't see your team as
part of yourself you have
already failed as part of
the team.
--
If you only see yourself as part
of the team but you don't see your
team as part of yourself you have
already failed as part of the team.
--
If you only see yourself as part of the team but
you don't see your team as part of yourself you
have already failed as part of the team.
--
If you only see yourself as part of the team but you don't
see your team as part of yourself you have already failed
as part of the team.
--
If you only see yourself as part of the team but you don't see
your team as part of yourself you have already failed as part of
the team.
--
If you only see yourself as part of the team but you don't see your
team as part of yourself you have already failed as part of the team.
