Chameleon WiFi Virus Spreads Like a Cold

March 6, 2014 | BY

A team of researchers at the University of Liverpool developed a virus dubbed Chameleon that travels over WiFi networks and spreads “as efficiently as the common cold spreads between humans.”

Unlike most viruses, Chameleon doesn’t go after computers or internet resources, but focuses on access points (APs), or where you connect to the internet.

For the average home user, this is usually a wireless router.

The research team says the virus spreads fast, avoiding detection and identifying “the points at which WiFi access is least protected by encryption and passwords.” If the virus hits a roadblock when trying to propagate, it simply looks for other access points “which weren’t strongly protected including open access WiFi points common in locations such as coffee shops and airports.”

There hasn’t been many technical details released on the virus, but it’s not unheard of for an AP to become infected; a few weeks ago, in fact, reports surfaced that several thousand Linksys routers had become infected with a worm likely installed by a vulnerability found in the firmware.

“When Chameleon attacked an AP it didn’t affect how it worked, but was able to collect and report the credentials of all other WiFi users who connected to it”, said Alan Marshall, Professor of Network Security at the University.

It’s unfortunate that very few routers today have adequate anti-virus protection, if they have any at all. In addition, many consumers don’t ever change the default username and password on their routers, making it dreadfully susceptible to hijacking.

Here are some measures you can take to protect yourself from these types of threats:

  • Change the default username and password on your home router
  • Ensure your WiFi network is password protected with a strong password
  • Avoid weaker wireless authentication protocols like WEP
  • Don’t broadcast your network’s name (SSID)
  • Avoid public networks and WiFi hotspots
  • Consider MAC address filtering to control which devices connect to your network

Joshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and malware analysis. Twitter: @joshcannell

  • Pingback: Tech Thoughts Daily Net News – March 10, 2014 | Bill Mullins' Weblog - Tech Thoughts()

  • exile360

    The church where my sister works got a bad infection on their network recently. They traced the source to a laptop one of the employees was using to work from home and bringing into work. Apparently there was some sort of worm that spread from that system and was installing (and reinstalling) PUPs on all the PCs on the network. Of course that same employee’s home network was completely infected with the same thing. It was the first time I’d ever heard of a rogue/Trojan installing PUPs like that as usually they just drop rogues and rootkits. I guess since PUPs tend to be about installation volume for profits (more installations on more systems=more $) it makes sense that some ‘rogue’ affiliates of these PUP vendors might resort to such tactics.

    It took shutting down the network and running Malwarebytes Anti-Malware, Malwarebytes Anti-Rootkit and RogueKiller to put a dent in it and finally get the systems cleaned up.

    Needless to say, that employee will not be allowed to do the BYOD thing any more (and neither will anyone else per the church’s new policy thanks to this event).

    I guess this occurrence gives a new definition to the term ‘blended threat’.

  • Mohammad Jupriyadi

    Saya sangat puas

  • Tom Wickerath

    Hiding your SSID offers no real protection; it is very easy to discover the SSID once any device connects to it (smartphone, laptop, etc). All it does is add difficulty for the user.

    One thing that I do is disable the ability in the router settings to make any changes using a wireless connection. For my routers, you need to use a wired connection along with a strong password. I think this one change would do a lot to help thwart Chameleon infections of wireless access points, as the perpetrator would need physical access to the ethernet cable that serves the wireless access point (or they would need to gain access to the ethernet port on the back of the wireless access point).

  • F4TE Silent

    i found a file called chameleon in my documents folder and when i open it inside it has things like mbamkiller.exe and internetexplorer.exe and a load of suspicious stuff should i delete it

  • Pingback: What are the Benefits of Encrypted Websites? | Benefits Of .org()

  • Pingback: Why Do Google Employees Keep Spreading False Information on HTTPS? | Miami Local SEO()

  • Pingback: 2 Important settings for your Wi-Fi router | Privacy On Top Blog()

  • bradley sweat (Razor Gaming)

    all of a sudden there is a connection called nowifi4u in my internet list it wasn’t anywhere in my known internet connections and things it was already set to autoconnect I blocked my comp from ever connecting before it got the chance and this connection is not going away itll disappear for a bit then return I got rif of it by disallowing my main home wifi from showing other sources but somehow it found its way back and tried to autoconnect again and my home internet has been extremely messed up today after this was discovered could this be anything bad