SSL stripping and detecting a possible malware infection
Hey folks, can someone with cyber security skills assist me with something?
I rented a bedroom where the wifi was managed by the landlord and I believe he was ssl stripping everyone (my https certs were downgraded), and he knows alot of things he shouldn't, is there anyone that can help me test if my Android or pc is compromised?
I moved out a few months ago however
I am concerned he may have names and passwords to get into things like discord, my bank account and the like.
3 Replies
Hey Bottles,
I will not go into too much detail about identifying SSL stripping or using a VPN to protect yourself from it because you have already moved. We will presume that you were the victim of SSL stripping, particularly since you are aware of it. We will also assume—though statistically unlikely—that your former landlord was a top-tier hoodie.
I would start by running a virus and malware detection scan on your devices using a reliable, up-to-date antivirus program. It may also be relevant to consider a fresh OS install if we want to assume that there might be specially crafted malware. This would almost certainly necessitate backups of anything important. Backups may be infected with any malware that is present, so keep this in mind when restoring.
If your goal is simply to find malware, I would begin by using a protocol analyzer, such as Wireshark, to search for any instances of beaconing—the malware's communication with the attacker's command and control server. Another option would be a DNS sinkhole with logging, but if this is a serious concern, I would probably just advise doing a fresh OS install.
The second important thing I would do is to start changing your login credentials. Social media, email, financial, and single sign-on accounts should all be prioritized. For these accounts in particular, I would advise using your strongest passwords—ideally even passphrases. The main concern with SSL stripping is that it most likely resulted in your data being viewed while it was in transit. I would wait to take this action until you have allayed fears that the OS is compromised.
Those were the first things that immediately sprang to mind. I am going to think about it more, and if I forget to think of anything, I am sure one of my colleagues will.
Thanks for the question. I enjoyed thinking it out.
I have used avast free to scan my PC, it seems okay although its alerting me that I shouldnt have files with personal details on them.
I have wireshark installed and can run the basic scan functions, do you have a tutorial I could follow to check for beaconing? I googled a few things but I am unsure if they are what you meant.
A steady, rhythmic communication back to a server is known as beaconing. You need to know what constitutes typical traffic to search for it effectively. It usually stands out because malware frequently beacons to gather commands from the command and control server. Although the protocols used can differ greatly, https traffic is typically used. This is among the simplest ways to get past a firewall.
I can locate some wireshark tutorials, and I can even recommend some entertaining gamified versions. I must stress that refreshing your operating system is likely the easier course. Although I cannot be positive, I do not genuinely believe it's likely that you have malware. That would have taken a great deal of skill to pull off, especially for something that an updated antivirus program missed.
I’d start here with learning about Wireshark:
https://tryhackme.com/room/wiresharkthebasics
TryHackMe
TryHackMe | Wireshark: The Basics
Learn the basics of Wireshark and how to analyse protocols and PCAPs.