1

I have already read those 3 topics about WPAD attacks but I'm still confused, so I'm here looking for a deeper explanation.

CONTEXT

I think a WPAD attack is happening in my home and I was not aware about what WPAD is until now. A svchost.exe process was connecting to some dubious IP (185, 38, 111, 1) through port 80 every 10 minutes. While going to wpad/wpad.dat in my browser I was receiving a blank page and I tried to block that IP in my firewall. After that, everytime I access wpad/wpad.dat my firewall blocks the connection because it's going to that IP. I did a factory reset on my router but the problem persisted. Searching about this situation, I found more people having the same problem with the same IP. One of those people said he deal with it just by changing his router's DHCP Domain Name. I decided to try it and I changed mine (which was always "domain.name") to something random, like "sweet.candy".

I tested that suggestion for a entire day and, for my surprise, the problem suddenly stopped and that connection didn't appear anymore. Going to wpad/wpad.dat now, I'm receiving a message saying that my browser could not reach that address (which was, according to that person's suggestion, the desired outcome). However, after that, I read this Sophos article, which says we shouldn't make up domain names, so I reverted DHCP Domain Name back to "domain.name".

I already turned off "Automatically detect proxy settings" in my PC, but there is one PC in my network which was connecting to that malicious IP too even with that option having always being off.

QUESTIONS

  1. Where is the wpad.dat file? Is it in the router or in my PC? Is there a way to edit it?
  2. If is it in router, how is it possible that a factory reset didn't revert it to normal state?
  3. Does change router's DHCP Domain Name just hide the attack or really solves it? And does change it imposes any risk?
  4. Are devices other than PCs, like smartphones, affected by this attack?
  5. It seems some people get rid of this attack after changing the router. Even if I do that, how can I protect the next router against this attack?
Mycroft
  • 758
  • 3
  • 9
  • 24

1 Answers1

5

Looks like your router vendor decided to use a domain name (domain.name) which was never intended for this and which is controlled by a third party. There are reserved names for such kind of purpose (like domain.local would be fine) but they did not use it.

Since the local domain name is automatically added to any host lookup which is not using a fully qualified domain name, a WPAD lookup for wpad will result in looking up wpad.domain.name. This hostname does actually exist and was used in the past to serve a wpad.dat file, see Ongoing name collision incident and Is this an attack? or US-CERT warns of domain name collision.

Where is the wpad.dat file? Is it in the router or in my PC? Is there a way to edit it?

It is on the remote system wpad.domain.name. There is no way to edit it for you since you don't control this remote system.

Does change router's DHCP Domain Name just hide the attack or really solves it? And does change it imposes any risk?

Changing the routers domain name to something which is not controlled by some third party removes the problem. I.e. changing it to whatever.local is fine since the .local TLD is explicitly reserved for such a purpose and will not conflict with public domains like domain.name.

Are devices other than PCs, like smartphones, affected by this attack?

Yes, anything which uses the WPAD mechanism to find the proxy can be affected.

It seems some people get rid of this attack after changing the router. Even if I do that, how can I protect the next router against this attack?

Buy from a vendor who has a better understanding of security :( Routers are unfortunately often cheap devices in a competitive market, with vendors more interested into cutting costs. This often results in security issues. What you encounter is only one of many problems. There is a whole website dedicated to the topic of insecure routers.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • Thank you a lot for your answer, Steffen! It was really good. If I understand it properly, this was not a vulnerability in my router, so I think I don't have to change the router, at least taking into account only this situation. Am I right? – Mycroft Jun 25 '21 at 22:58
  • 1
    @Mycroft: Correct, it should be sufficient to change the domain to not use a public name. That's at least to deal with this kind of problem, it can still be that your router has other problems though. – Steffen Ullrich Jun 26 '21 at 04:37