A day in security’s life: “Pardon me, sir, but the wireless is knocking!”

Recently, a number of individuals have reported “portscan” detections from their University-provided Symantec antivirus programs. This largely seemed to come from individuals on the wireless network, and they looked quite alarming! Were computers being attacked?

This screenshot from Symantec Log, depicts what some University community members are seeing.

A port can be thought of as a special service that listens for connections from other computers or programs. Most modern computers have some number of ports open because they’re connected to the internet, downloading email, browsing websites, or listening to Spotify. Each port has a number from 0 to 65535, with some numbers on the lower end of the scale being reserved by convention for special services like email or remote desktop access. Not every port has to be listening for a connection – also called being “open” – at all times.

A port scan can thus be thought of as another computer asking lots of questions of your own computer: “Hey, is port 20 open? Hey, is port 21 open? Hey, is port 22 open?” and so on. It is considered to be shady behavior and can be a sign of malicious activity, like a virus or someone preparing to attack another computer. But port scans can turn up in other, less shady places, like applications that look for printers or certain types of legitimate programs for research. So how does the security team find out what this wave of complaints was about?

Like any good University of Chicago team, we knew research was the answer. We began to ask individuals who reported this behavior about their computers and collect anonymized network data. Trends emerged, but not the ones we expected: our port scanning computers were almost all Macs! Furthermore, the activity we saw from these Macs was quite thorough, from lower numbered ports to higher ones that didn’t seem to make much sense. Given the number of Macs exhibiting this behavior, we were reasonably certain that this wasn’t malicious. The behavior was too automated, too reliable, and very similar. We captured lists of what was being scanned and tried to match it to known programs but weren’t having much luck. Even worse, the reports seemed random, as if time of day didn’t matter at all. It had to be a program on the Macs, as the Apple operating system doesn’t do this by default, and also one that the University doesn’t provide.

Our major breakthrough came from sharing information with peers. One of them actually got their hands on a computer with this behavior and found Avast antivirus installed, using a feature known as the Wi-Fi Inspector. It turns out this antivirus program will scan any wireless network it’s on in the name of security, which in turn caused the University-issued Symantec antivirus program to issue alerts! The Information Security team recommends turning this feature off.

In the end, we found a lot of noise being generated by a legitimate program. The University’s network is an open one, first and foremost, so investigating suspicious behavior is a priority for our team. We never know what will be out there – and in this case, we learned an interesting lesson about how certain antivirus programs behave.