A new form of malware that grabs and queries the MAC address of the wireless router in a bid to geo-locate its victim's machine more accurately have been discovered.
Most malware usually just grab and check the IP address of their targets against GeoIP databases to determine their location. However the new sample, analyzed by Xavier Mertens from the SANS Internet Storm Center, performs an additional query.
It first extracts the Basic Service Set Identifier or BSSID of the WiFi router that a user is connected to, and then queries it against a free BSSID-to-geo database to better determine the location of the victim's computer.
- Check out our roundup of the best endpoint protection solutions
- Here are the best ransomware protection tools
- We’ve also compiled a list of the best password managers
Cat and mouse
As per Mertens' analysis, the malware first used the icanhazip.com database to get the appropriate location based on the IP address. It then submits the BSSID to a free BSSID-to-geo service maintained by one Alexander Mylnikov.
According to Mylnikov, his database has over 34 million BSSIDs along with their last known geographical location. He also demonstrates on his website how the information retrieved from his database can be visualized on a map.
As Mertens notes in his analysis, malware operators want to determine the location of their victims to ensure they don’t infect computers in their own country, and also when they want to target victims in specific countries.
Relying solely on IP-to-Geo databases doesn’t always yield accurate results. However, when combined with the novel approach of querying BSSIDs, it will lead to far more accurate determination of the victim’s geographical location.
While this combination of double-checking a victim’s location isn’t widely adopted, according to report, it might just be a matter of time.
- We’ve also compiled a list of the best antivirus products