Malware uses WiFi BSSID for victim identification

Malware authors are using the WiFi AP MAC address (also known as the BSSID) as a way to geo-locate infected hosts.

wifi-router.jpg

Image: Stephen Phillips

Malware operators who want to know the location of the victims they infect usually rely on a simple technique where they grab the victim's IP address and check it against an IP-to-geo database like MaxMind's GeoIP to get a victim's approximate geographical location.

Security

Everything you need to know about viruses, trojans and malicious software

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Read More

While the technique isn't very accurate, it is still the most reliable method of determining a user's actual physical location based on data found on their computer.

However, in a blog post last month, Xavier Mertens, a security researcher with the SANS Internet Storm Center, said he discovered a new malware strain that is using a second technique on top of the first.

This second technique relies on grabbing the infected user's BSSID.

Known as a "Basic Service Set Identifier," the BSSID is basically the MAC physical address of the wireless router or access point the user is using to connect via WiFi.

You can see the BSSID on Windows systems by running the command:

netsh wlan show interfaces | find "BSSID"

Mertens said the malware he discovered was collecting the BSSID and then checking it against a free BSSID-to-geo database maintained by Alexander Mylnikov.

This database is a collection of known BSSIDs and the last geographical location they've been spotted at.

These types of databases are quite common these days and are usually used by mobile app operators as alternative ways to track users when they can't get access to a phone's location data directly (i.e., see WiGLE, one of the most popular services used for these types of BSSID-to-geo conversions).

Checking the BSSID against Mylnikov's database would allow the malware to effectively determine the physical geographical location of the WiFi access point the victim was using to access the internet, which is a far much accurate way of discovering a victim's geographical position.

Using both methods together allow malware operators to confirm that the initial IP-based geolocation query is correct with the second BSSID method.

Malware operators usually check for a victim location because some groups want to make victims only inside specific countries (such as state-sponsored operations) or they don't want to infect victims in their native country (in order to avoid drawing the attention of local law enforcement and avoiding prosecution).

However, IP-to-geo databases are known for their wildly inaccurate results, as telcos and data centers tend to acquire or rent IP address blocks on the free market. This results in some IP blocks being assigned to different organizations in other regions of the globe from their initial/actual owner.

Using a second method to double-check a victim's geographical location isn't widely adopted today, but the technique has clear benefits that other malware operations will surely appreciate and decide to use in the future as well.