Upgrade Attack

2013-09-30T00:00:00
ID SAINT:5642F896443DFA6BE07D6F2D28F6C546
Type saint
Reporter SAINT Corporation
Modified 2013-09-30T00:00:00

Description

Added: 09/30/2013

Background

The LLMNR (Local Link Multicast Name Resolution) protocol is used to answer wpad requests sent by Microsoft Windows. A rogue WPAD server delivers a wpad.dat file to poisoned hosts forcing them to proxy web requests through the SAINT server. In addition, HTTP requests are analyzed and matched against known insecure auto update features. All HTTP based requests for EXE files are replaced with the SAINT remote control client.

Limitations

This tool only works against machines configured with Automatic Proxy Configuration turned on (default) and on versions of Microsoft Windows Vista and later.

Resolution

WPAD should not be enabled if it is not something that is being used by your organization. It can be turned off manually or using group policy.