Typhoid Adware: Coming From a Laptop Near You

A yet-unseen malware variant dubbed “Typhoid adware” could allow cyberattackers to prey on portable computer users tethered to unsecuredWiFi connections at Internet cafes and other public places.

This potential threat is lurking wherever consumers gather to use freeInternet access points. The hidden new threat has none of thetelltale symptoms of traditional infections, and it functions as a twiston the notorius “Man-in-the-middle” vulnerability, according to a teamof computer science researchers at Canada’s University of Calgary.

These researchers named this potential threat after Typhoid Mary. Themalware resembles the typhoid fever carrier who spread the disease todozens of people in the New York area in the early 1900s.

Adware is software code that users inadvertantly allow into theircomputers when they download infected files like fancy toolbars orfree screen savers, or when they visit infected Web sites. Typhoid adware needs awireless Internet cafe or other area where users share a non-encryptedwireless connection.

“We’ve not yet seen it in the wild. But it is something we areexpecting to see. The reason is so many people bring their computersto centralized wireless locations. The bad guys are interested inmaking money, so centralized locations are a great opportunity forthem,” John Aycock, associate professor in the computer science deptartmentat the University of Calgary, told TechNewsWorld.

Speculative Origins

His research team devised the concept behind the Typhoid adware attackas part of a proactive computer security study, said Aycock. See thepaper on Typhoid adware here.

“We try to figure out what the bad guys are going to do before we seeit in the wild,” he said. It is a proof of concept malware that hasnot yet been found in the wild. But the potential for use is verylikely.

Aycock coauthored a paper on the so-called Typhoid adware threat withassistant professor Mea Wang and students Daniel Medeiros Nunes deCastro and Eric Lin. The paper demonstrates how Typhoid adware worksas well as presents solutions on how to defend against such attacks.In May, De Castro presented it at the EICAR conference in Paris, aconference devoted to IT security.

What It Does

Typhoid adware tricks nearby computers into accepting an unknown hostcomputer nearby as a legitimate WiFi connection. The host computerthen delivers annoying ads to the phoney network of victim laptops.

Typically, adware authors install their software on as many machinesas possible. But Typhoid adware comes from another person’s computerand convinces other laptops to communicate with it and not thelegitimate access point, Aycock explained.

Then the Typhoid adware automatically inserts advertisements invideos and Web pages on the other computers. Meanwhile, the owner ofthe infected host computer does not see any of the ads and thus doesnot know the computer is infected.

Why worry about ads sent from one laptop to another? Ads areannoying, but they can also advertise rogue antivirus software that isharmful to the user’s computer. That makes ads the tip of the iceberg,Aycock warned.

Not So Fast

Not all security researchers are convinced that Aycock’s fears aboutan imminent Typhoid adware outbreak are justified.

“About 90 percent of viruses, worms and malware were proof of conceptand never made it into the wild,” Tracy Hulver, executive vicepresident for products and marketing at netForensics, toldTechNewsWorld.

While not a new concept, the premise behind the Typhoid adware attackgives us a good reason not to use public WiFi connections, notedCatalin Cosoi, lead online researcher for Bit Defender.

“There probably will be some attempt by hackers to use Typhoid. But asit is now, I don’t see any big threats from it,” Cosoi toldTechNewsWorld.

Linux Users Beware

If attackers took advantage of the Typhoid adware’s potential, theycould blur the line between Linux security and Windows vulnerability.The tools used to develop the proof of concept are part of an opensource Linux package called “Dsniff,” according to Chet Wisniewski,senior security advisor at Sophos.

“The concept is interesting. If it were developed a bit more it couldpose a nasty threat,” Wisniewski told TechNewsWorld.

The Dsniff package, written by Dug Song, is a packet sniffer and setof traffic analysis tools. The tool decodes passwords sent incleartext across a switched or unswitched Ethernet network. Seedetails here.

Similar tools are not available to make a Windows host, so theattacker would have to be a Linux user. But Windows boxes nearby wouldbe at risk to receive ads, said Wisniewski, an avid Linux user.

Tricky Typhoid

The Typhoid adware threat, if it becomes one, presents a differentsituation for defenders. It also gives attackers a different businessmodel.

“Protecting against Typhoid is a bit tricky because of the way itworks. Normally if you have an adware infection you would see a bunchof ads popping up, and you would know something is there. Typhoidadware is different and a lot sneakier,” said Aycock.

Instead of showing ads on the computer where it is installed, Typhoidshows ads on computers that are around it by hijacking their Internetconnections, he explained. That makes it challenging to convincecomputer users they have a problem.

If you are seeing the ads, you don’t have anything to detect. If youare not seeing any ads, you might find it hard to believe that youhave something on your computer.

Typhoid Defenses

Typhoid adware is designed for public places where people bring theirlaptops, noted Aycock. It is far more covert and displaysadvertisements on computers that do not have the adware installed, notthe ones that do.

“No good defensive solutions have been proposed. Each suggestedsolution has a down side,” warned Cosoi.

Laziness could work against Typhoid — having to sit near other computer usersto push the infection may limit the need for defenses, he suggested.Other kinds of attacks are available that provide far greater resultsa lot easier.

Proactive Fighting

Aycock and his fellow researchers have devised a few defenses againstTyphoid adware. One way is to protect the content of videos to ensurethat what users see comes from the original source. Another way is tomake laptops recognize that they are at an Internet cafe so they willbe more suspicious of contact from other computers.

A proactive approach to security involves having the laptop look forsigns of a hijack in a public location, according to Aycock. Ananalogy is that when you are home you know you are safe. If you go outside you know you have to be more cautious. But computers don’t havethat same sense.

Another approach is to target computers that might have something likeTyphoid on them. That goes back to protections like traditionalantivirus software, he noted.

Switchable Options

So far Aycock’s researchers succeeded in implementing a type ofsoftware switch. It warns a laptop with an active WiFi connection tobe less trusting of what other computers connected to its Internetconnection are telling it.

“This is something that we’ve been able to do in the lab. This isn’tsomething for regular users at this point,” said Aycock.

The defensive switch has to be incorporated into regular antivirussoftware protections. It could also be integrated into the laptop’sfirewall software, he said.

Much of the process for getting a Typhoid defensive into play is await-and-see process. It starts with getting the vendors interested.

“That’s one reason we did the paper and presented it at theconference. The audience was a mix of academia and industry. So it isa good venue to advertise this work to those people,” said Aycock.

1 Comment

  • I’ve been fighting this thing for 5 weeks straight. It has wrecked my home systems and I’m concerned that it’s subversive nature and quick mutation keep it easily unnoticed. I will warn you, do not attack this thing with your normal array of standard AV, it will only perceive you as a threat. At that point the AI is difficult enough to overcome, not to mention the net remote access it has setup in your Dbus and IO modules. This thing is nasty, embeds itself in L1 cache on every duo core i have, associates bluetooth, wireless, tele, IM, anything you have instaled and whatever it brings in. Fake key gens, privilege modification, this thing actually can power a wifi card (intel 5300 a/b/g) from CMOS, you can pull the battery, shutdown, whatever but until you physically remove the transmitters and medium you can expect problems. The thing is so sticky, I’m not convinced it doesn’t modulate and transmit via AC infrastructure. I know, it sounds crazy, believe me my credibility has suffered in trying to explain this one to people. If you know what’s good for you, wait for a pro fix, otherwise you will be learning 16-bit DOS embed hacks, Unix/Linux/Windows/Mac file systems morphs, all OS permission hacks, string translator pipes 30+ folders deep, and invisible NTVDMs. Good luck if you meet this monster, you will need it.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Security

CRM Buyer Channels