http://m.theregister.co.uk/2014/07/29/antivirus_blood_splattered_as_biz_warned_audit_or_die/
http://arstechnica.com/security/2015/09/security-wares-like-kaspersky-av-can-make-you-more-vulnerable-to-attacks/ https://books.google.com/books?id=wqV1CgAAQBAJ&pg=PA183&lpg=PA183&dq=antivirus+attack+surface&source=bl&ots=HF7hnyj7sN&sig=Ski6OAQaLdD4MeIDGJRfuNoaZiE&hl=en&sa=X&ved=0ahUKEwjsgP7nroXMAhUjk4MKHb19DQ0Q6AEIKzAE#v=onepage&q=antivirus%20attack%20surface&f=false On Apr 10, 2016 6:21 PM, "That One Guy /sarcasm" <thatoneguyst...@gmail.com> wrote: > Josh, > > Can you expand that? > > > The following is the last communication, note this started as a slowness > complaint. > > Hi. I had a couple questions regarding the wireless router that you > provide with my service. Since I don't have access to the device, could you > turn off broadcasting of the SSID please? The reason for this request due > to a very damaging virus/malware that hit my home network extremely > hard.gained access to my networks through the wireless connection and my > phone, which then took out every thing else connected. The Wi-Fi that > caused the issue ended up as "OPEN" and not longer secure. Since there is > such massive distances between any of us our her I would only see that > specific SSID on days when everthing allowed to to travel just a litter bit > further. And when I did see it over the last 1.5 years, but it was always > "Secured". Anyway... the story is much longer but A. can you hide the SSID > and possibly change it to something else? This way I know it has a little > extra protection. But please let me know the the SSID. Do you by chance > know of an SSID near me of: ISPSTUFF360? It's Mac address is > 00:60:ld:f1:91:be. It came back as a Lucent Technologies device. Also.. I > was not simply taken out of service by 1 "Open" device...I was taken out by > 2 ! The second one that is also broadcasting as "Open is similar in name. . > It\s SSID is ISPSTUFF1000. I have it's mac address somewhere in the middle > of all this mess, but its the same I believe. It also resolved by MAC > address to a Lucent Technologies Devic. From what discovered from once I > had a change to finish up replacing the hard drive in my laptop, ending up > with corruption in the bios as well, replacing a drive in my Workstations > as it would not ever respond to restoration software. And so much figging > time to install everything. I had to be safe and reset my phone, my tablet > pc and and my FLAC file of over 119gb of my entire music collection. Not > to. I still dont feel comfortable given how destructive it was. I > immediately had to spend our upon hour callng banks, and Website, and > anyting that I accessed online to change my logins and passwords.. It even > appears to have left it's mark on the Direct TV DVR as well. So I have > already spent more $ than I had to spare but I most definately dont trust > any of the devices anylonger. Especially since the 2 devices are still > broadcasting as I send this. Kevin > > On Sun, Apr 10, 2016 at 3:59 PM, Josh Reynolds <j...@kyneticwifi.com> > wrote: > >> FYI antimalware/antivirus and adblock are the newest attack vectors. :) >> >> Pretty easy way to get persistent malware on machines now. >> On Apr 10, 2016 3:57 PM, "That One Guy /sarcasm" < >> thatoneguyst...@gmail.com> wrote: >> >>> Im a worst case scenario artist. My concern is the customer will talk to >>> our customer service, theyll tell him we will replace his router. He will >>> bring it in, get a replacement. Its been "infected" and will hit our >>> Achilles heel. Customer service will drop it in the returns bin. It will >>> get taken abk and connected to the machine thats used to dump the file, it >>> will "infect" that machine, that machine will infect the Customer service >>> network. A tech will pick up the router and install it at another POP. >>> infecting that POP. he will also bring his laptop back and connect it to my >>> network. My machine has no real antimalware and he will infect it across >>> that network. My machine has all the keys to the castle. >>> >>> the reality is they guy probably had slow wifi in his detached garage >>> 1500 feet from his house, and his buddy mike said he must be infected with >>> some really nasty virus because his portable version of AVG from 2010 cant >>> find it so it must be direct from anonymous. >>> >>> On Sun, Apr 10, 2016 at 3:37 PM, Josh Reynolds <j...@kyneticwifi.com> >>> wrote: >>> >>>> Cross platform malware is a Thing now, and has been for several years. >>>> It's fortunately not very prevalent yet. >>>> On Apr 10, 2016 3:36 PM, "Bill Prince" <part15...@gmail.com> wrote: >>>> >>>>> I don't believe it. >>>>> >>>>> We have a friend that comes to some outrageous conclusions with scant >>>>> information, and practically zero technical knowledge. Yet when he >>>>> explains >>>>> something, he sounds perfectly reasonable with impeccable logic. It just >>>>> never is. >>>>> >>>>> bp >>>>> <part15sbs{at}gmail{dot}com> >>>>> >>>>> >>>>> On 4/10/2016 1:29 PM, That One Guy /sarcasm wrote: >>>>> >>>>> So we have this customer who experienced a ferocious malware, still >>>>> waiting on more details from the customer, its very interesting because it >>>>> crossed multiple platforms. multiple cell phones, a satellite DVR, a PC >>>>> etc. Im not sure how he verified infection, but he did have to factory his >>>>> phones, his PC he said required a hard drive replacement (not sure what or >>>>> who decided this) not sure how the satellite DVR was mitigated. He thinks >>>>> it came from a Rise Broadband (formerly Prairie Inet ESSID (I doubt this, >>>>> the ESSIDs prairie inet ran were open, with other security for the access) >>>>> With it being as cross platform as it was im wondering how i would >>>>> check the air router we provide to see if it got hit as well. All we do is >>>>> a dump file on the current firmware that sets a password, ensures 443 is >>>>> open, sets a DMZ to an IP out of the DHCP scope, and we manually set the >>>>> ESSID with WPA2, the key being the MAC on the label ( it think this is the >>>>> WLAN) (we disable snmp, telnet, but leave ssh open), we also turn off CDP >>>>> and the ubnt discovery >>>>> >>>>> >>>>> Im hoping he has some good info on what this actually was, and its not >>>>> just a case of his buddy jim telling him all this. >>>>> >>>>> Anybody know of something in the wild capable of hitting all these >>>>> devices across a network (wired/wireless) >>>>> >>>>> Im asking about the airrrouter in particular, considering if it were >>>>> impacted, that could be a mess at the POP since most customer NAT are in >>>>> the same subnet, with duplicate configs >>>>> >>>>> -- >>>>> If you only see yourself as part of the team but you don't see your >>>>> team as part of yourself you have already failed as part of the team. >>>>> >>>>> >>>>> >>> >>> >>> -- >>> If you only see yourself as part of the team but you don't see your team >>> as part of yourself you have already failed as part of the team. >>> >> > > > -- > If you only see yourself as part of the team but you don't see your team > as part of yourself you have already failed as part of the team. >
