Writing

Software, technology, sysadmin war stories, and more. Feed
Thursday, May 17, 2012

Infected machines at 35,000 feet

There are some interesting things you can see when you sniff the wireless network for passengers on an airplane. Even if you don't go into full-on monitor mode, there's plenty of crazy stuff up there. Besides the ARP requests and other broadcast and multicast traffic, I spotted this:

11:15:18.507201 IP 172.20.10.246.4998 > 0.0.0.0.53: 49182+ A? def2010cnt.biz. (32)

What jumps out to me is that this crazy host is blasting DNS queries to a nonsensical IP address, and it's probably going to the broadcast address at the Ethernet level. If I had thought to add the "-e" switch to my tcpdump, then I could have confirmed that.

The host it's looking up is apparently used for command and control of infected machines. In other words, somewhere on the same plane as me, there was a (Windows) laptop which had been compromised and was trying to phone home for further instructions.

A small part of me wanted to see if I could track it down and help the owner reclaim their machine from the baddies. Fortunately, the rest of me said "it's their problem, and besides, it's a needle in a haystack".

Two minutes later, I started tcpdump up with -e to see the hardware addresses flying around and got this:

11:17:48.216424 00:24:2b:81:8f:2a > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 82: 172.20.10.246.5043 > 0.0.0.0.53: 60702+ A? bestsolutions2010.info. (40)

So there it is. Somewhere out there, someone owns a wireless adapter with a hardware address of 00:24:2b:81:8f:2a, and they're using it in conjunction with a machine which is infected with something nasty. I didn't catch any other potentially-identifying information from this host, so there's no telling which of hundreds of passengers it could have been.

At what point should public-facing network providers try to detect badness and somehow alert a user to the things on their system?