Topic: NetSniff

[Amker]

This trojan uses winpcap drivers to monitor and capture network traffic and to carry out IP and DNS spoofing attacks. For accomplishing this, it uses few tools like "Winpcap_3_1_beta4 Dos Installer" and "zxarps". It can potentially insert malicious html code into data packets returned from server.
Characteristics -


This trojan uses winpcap drivers to monitor and capture network traffic and to carry out IP and DNS spoofing and man-in-the-middle attacks. For accomplishing this, it uses few tools like "Winpcap_3_1_beta4 Dos Installer" and "zxarps". It can potentially insert malicious html code into HTTP response packets returned from server; as well as sniffing passwords from the network.

(Winpcap is a popular tool that is often used in legitimate network monitoring.)

Upon installation this trojan installs legitimate packet filter libraries in %sysdir%.
%WINDIR%\inf\netnm.pnf ( 14736 bytes )
%WINDIR%\inf\netrasa.pnf ( 23504 bytes )
%SYSTEMDIR%\wpcap.dll ( 221184 bytes )
%SYSTEMDIR%\netmoninstaller.exe ( 6656 bytes )
%SYSTEMDIR%\wanpacket.dll ( 61440 bytes )
%SYSTEMDIR%\drivers\npf.sys ( 32000 bytes )
%SYSTEMDIR%\pthreadvc.dll ( 53299 bytes )
%SYSTEMDIR%\rpcapd.exe ( 86016 bytes )
%SYSTEMDIR%\packet.dll ( 81920 bytes )
%SYSTEMDIR%\daemon_mgm.exe ( 49152 bytes )
%SYSTEMDIR%\npf_mgm.exe ( 49152 bytes )

Following tools are dropped in the same directory from which the trojan executes.
wpc.dll - Winpcap_3_1_beta4 Dos Installer - Installs packet filtering libraries.
cmd.dll - zxarps Build 01/17/2007 By LZX. - Tool to carry out DNS Spoofing Attack.

Following is the list of commands than can be issued by this tool
options:
    -idx [index]
    -ip [ip]
    -sethost [ip]
    -port [port]
    -reset
    -hostname
    -logfilter [string]
    -save_a [filename]
    -save_h [filename]
    -hacksite [ip]
    -insert [html code
    -postfix [string]
    -hackURL [url]
    -filename [name]
    -hackdns [string]
    -Interval [ms]
    -spoofmode [1|2|3]
    -speed [kb]

There are many registries created upon installation of the trojan, most of them are related to WinPCap installation. Registries unique to this trojan are mentioned below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\CMD\DEBUG\Trace Level: ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation\DisplayParams

Registry responsible for restarting the trojan on reboot is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InternetEx

 

 
Symptoms -

Presence of aforementioned files and registry keys.
Unusual network activity of ARP requests.

 
Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

McAfee