Mac OS X Internet connection sharing hacked

Don’t mean to be alarmist, perhaps that title should have read, "my Mac OS X Internet connection sharing hacked". For a few minutes there I was wondering whether I’d discovered the first really nasty piece of Mac OS X spyware; but after a few minutes of investigation it looks like it’s one of my neighbours that has the spyware, and he or she had somehow hacked into my local wireless network (provided via Mac OS X’s Internet connection sharing).

This started about 20 minutes ago when I noticed (thanks to the Net Monitor icon in my Dock) a steady 80-100KB/s of incoming data despite the fact that I wasn’t actively downloading anything. I checked to make sure that this traffic wasn’t caused by iTunes downloading new podcasts in the background. It wasn’t. My curiosity was piqued. Little Snitch hadn’t reported any unauthorized connection attempts. I fired up Interarchy so that I could watch the traffic and get a clue as to what it was.

The alarm bells started to ring when I saw that the traffic was directed to sites of "questionable character". I picked the first suspicious-looking URL (www.mascosasxsms.com) and visited it in Safari: turned out to be a cheap-and-tacky porn site; ad-laden, filled with pop-ups, and with "dodgy" written across every corner. Other hosts showing up in the traffic included:

Not only where sites like this turning up in the traffic log, they were turning up at an incredible rate, too fast to be generated by a human under normal navigation. "Entrepreneurs" with nothing better to do write spyware that generates false page impressions on sites where ads are placed, and they try to install it (without permission, needless to say) on as many machines as possible so as to maximise their "hard-earned profits". Spyware would explain the traffic patterns I was seeing.

So I started searching for a spyware process that might be generating this traffic. I checked and double checked the list of open network connections, of open files (man lsof) and the process tree in Activity Monitor to try and identify a likely culprit. I quit Safari. I wondered if Mail might be the culprit (something received in an email and exploiting a vulnerability when it passed through the filters or was displayed in the preview pane) but the CPU usage seemed too low.

If this was spyware it was doing a pretty darn good job of hiding itself. I didn’t want to quit any processes because that might cause the network activity to go away before I’d identified the source, but once I had done everything I could think of I turned my attention to the network instead.

I connect to the net via an ADSL2+ modem plugged in directly to my iMac’s ethernet port. I also have Internet connection sharing turned on via AirPort so that I can get on the net with my trusty old G4 PowerBook. The makeshift AirPort network is protected via a password and encrypted via WEP (128-bit, if I recall correctly). Perhaps someone in the area had managed to crack my WEP password and was piggybacking on my connection. Sure enough, as soon as I turned off Internet connection sharing the activity immediately stopped.

The puzzling question is, was this a neighbour whose machine was infected with spyware, or would someone actually want to visit those sites? I doubt it. The traffic log showed that the HTTP requests included a Spanish Accept-Language field, indicating that the traffic was probably coming from a real web browser and not some background user-agent process:

Accept-Language: es-ES,es;q=0.9,en;q=0.8

But there were also some hits to some harmless hosts like:

Why would a spyware process visit help.opera.com? A couple of different user agent strings were also reported in the log:

User-Agent: Opera/9.01 (Windows NT 5.1; U; en)
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

I don’t really know enough about Windows to know the state of spyware for browsers other than IE. Do Opera and Mozilla host much, if any spyware? Or is this a background user agent pretending to be something it’s not?

There are freely available, legal tools such as iStumbler for discovering wireless networks, but I’m not aware of any legal tools which will allow you to perform brute force attacks on encrypted networks. Is there any spyware out there sophisticated enough to hack local wireless networks, or would one of my neighbours have had to break into the network first, only to unwittingly provide net access to the spyware infesting his machine? More questions than answers.

No harm done, but I guess the lessons learned then are the following:

  • turn off AirPort and Internet Connection Sharing when not in use
  • change your WEP password regularly