Upgrade Attack

ID SAINT:5642F896443DFA6BE07D6F2D28F6C546
Type saint
Reporter SAINT Corporation
Modified 2013-09-30T00:00:00


Added: 09/30/2013


The LLMNR (Local Link Multicast Name Resolution) protocol is used to answer wpad requests sent by Microsoft Windows. A rogue WPAD server delivers a wpad.dat file to poisoned hosts forcing them to proxy web requests through the SAINT server. In addition, HTTP requests are analyzed and matched against known insecure auto update features. All HTTP based requests for EXE files are replaced with the SAINT remote control client.


This tool only works against machines configured with Automatic Proxy Configuration turned on (default) and on versions of Microsoft Windows Vista and later.


WPAD should not be enabled if it is not something that is being used by your organization. It can be turned off manually or using group policy.