0

I believe I've been subject to a wpad attack, but I am not sure what was the extent of the damage and how to properly clean and secure my various devices at home.

First, my browser started blocking some random websites because of invalid certificates, (e.g. anything in google.com worked just fine but not wikipedia.com). The same happened when I tried with other browsers. When I check the server certificate, it showed one issued by vihoo (dev/localhost)

Few moments later, I got a notification from my antivirus about JS:Miner.bq in C:\Users\xxxxxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NBNFPTGR\wpad[4].htm\00000074.js being detected and deleted. IE history shows that the file was access from http://wpad.<my-own-domain>/wpad.dat (which doesn't exist)

So I was under MITM attack, and my browser could have run undetected malicious javascript. I checked my browsing history, everything was over HTTPS, but there was one website that was accessed via HTTP, no password/sensitive information/downloads there, but if I understand correctly, my browser could have run further malicious javascript.

I didn't find any suspecious DNS record changes with my personal domain name. So I am assuming here that someone managed to hack into my local home network and/or to my router (I had a public web management console which was just protected by simple password).

Question 1: What would be the extent of the damage if my router was compromized? browser-saved passwords? files on disk? persistent backdoor?

This is what I did so far:

  • I run a full antivirus scan everywhere. Nothing was reported except another occurence of the same torjan in C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\wpad[1].htm\00000074.js in the same Windows 7 machine.
  • Following the recommendations from this post, I deactivated the auto-discovery of network settings in my windows machines, I am not sure though if there is an equivalent for android devices
  • I factory-reset my router configuration, changed Admin and Wifi passwords, and deactivated the remote web management

Question 2: Are those steps sufficient to properly secure my home network and the rest of my devices? Do I need for example to reinstall Windows and factory-reset all android devices?

keskesm
  • 9
  • 2
  • @schroeder: Why duplicate? In my question, I am asking specifically about MITM where the attacker was potentially able control my router and run malicious javascript in my browser. Is this equivalent to virus infection? If yes, how an attacker could exploit for example DNS/javascript to install a rootkit and take complete control of the PC? – keskesm Jul 17 '19 at 12:08
  • If someone was able to run malicious code in your browser, then that's the same thing as any other type of malware. It's code running on your computer. – schroeder Jul 17 '19 at 13:00
  • It's a duplicate because your question is about how to recover. The duplicate question answers that. – schroeder Jul 17 '19 at 13:01
  • How can browser's javascript be equivalent to `code running on your computer`? The JS running in the browser is way more restricted, e.g. access to filesystem, forking processes, ... Am I missing something? – keskesm Jul 18 '19 at 01:47

1 Answers1

1

What a WPAD attack does, it changes your browser's internet proxy settings, meaning all of your traffic would go through the attackers proxy, meaning he could read all of the unencrypted traffic. If you had seen a certificate warning and visited the website, than the fact that it's HTTPS won't help you, everything still can be intercepted. WPAD attack doesn't affect DNS security, but a router compromise does.

Q1: Access to the router for an attacker allows him to gain full read and modifying capabilities of your network traffic. Meaning he can redirect your DNS request to his sites, intercept/modify web traffic, simply re-route everything through him etc.

Q2: For Windows definetly re-install OS, for Android devices it is recommended. Change all of your passwords for sites that your commonly browse or those of high value is definetly a must. Change the web passwords either after you have cleaned and re-set everything or from a previously non-compromised network.

Raimonds Liepiņš
  • 994
  • 5
  • 9
  • you said `If you had seen a certificate warning and visited the website, than the fact that it's HTTPS won't help you, everything still can be intercepted` the browser doesn't just display the warning, it actually blocks loading the page, so I assume nothing get intercepted in this case, right? – keskesm Jul 17 '19 at 12:10
  • Can you elaborate more on the first answer: how an attacker could exploit for example DNS/javascript to install a rootkit and take complete control of the PC? – keskesm Jul 17 '19 at 12:15
  • @keskesm If the browser blocks it, than yes, but usually you can click to ignore the certificate warning. I am not here to promote offensive behavior aside from ethical hacking like Red teaming/Pentesting etc., so you will have to find the ways to exploit it on your own. – Raimonds Liepiņš Jul 17 '19 at 13:16