Members
  • Total Members: 12811
  • Latest: nodrog
Stats
  • Total Posts: 28507
  • Total Topics: 8238
  • Online Today: 852
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)












Author Topic: NetSniff  (Read 2046 times)

0 Members and 1 Guest are viewing this topic.

Amker

  • SCF Global Moderator
  • *****
  • Posts: 1081
  • KARMA: 22
  • Gender: Male
    • SCforum.info
NetSniff
« on: 16. June 2007., 15:18:51 »
This trojan uses winpcap drivers to monitor and capture network traffic and to carry out IP and DNS spoofing attacks. For accomplishing this, it uses few tools like "Winpcap_3_1_beta4 Dos Installer" and "zxarps". It can potentially insert malicious html code into data packets returned from server.
Characteristics -


This trojan uses winpcap drivers to monitor and capture network traffic and to carry out IP and DNS spoofing and man-in-the-middle attacks. For accomplishing this, it uses few tools like "Winpcap_3_1_beta4 Dos Installer" and "zxarps". It can potentially insert malicious html code into HTTP response packets returned from server; as well as sniffing passwords from the network.

(Winpcap is a popular tool that is often used in legitimate network monitoring.)

Upon installation this trojan installs legitimate packet filter libraries in %sysdir%.
%WINDIR%\inf\netnm.pnf ( 14736 bytes )
%WINDIR%\inf\netrasa.pnf ( 23504 bytes )
%SYSTEMDIR%\wpcap.dll ( 221184 bytes )
%SYSTEMDIR%\netmoninstaller.exe ( 6656 bytes )
%SYSTEMDIR%\wanpacket.dll ( 61440 bytes )
%SYSTEMDIR%\drivers\npf.sys ( 32000 bytes )
%SYSTEMDIR%\pthreadvc.dll ( 53299 bytes )
%SYSTEMDIR%\rpcapd.exe ( 86016 bytes )
%SYSTEMDIR%\packet.dll ( 81920 bytes )
%SYSTEMDIR%\daemon_mgm.exe ( 49152 bytes )
%SYSTEMDIR%\npf_mgm.exe ( 49152 bytes )

Following tools are dropped in the same directory from which the trojan executes.
wpc.dll - Winpcap_3_1_beta4 Dos Installer - Installs packet filtering libraries.
cmd.dll - zxarps Build 01/17/2007 By LZX. - Tool to carry out DNS Spoofing Attack.

Following is the list of commands than can be issued by this tool
options:
    -idx [index]
    -ip [ip]
    -sethost [ip]
    -port [port]
    -reset
    -hostname
    -logfilter [string]
    -save_a [filename]
    -save_h [filename]
    -hacksite [ip]
    -insert [html code
    -postfix [string]
    -hackURL [url]
    -filename [name]
    -hackdns [string]
    -Interval [ms]
    -spoofmode [1|2|3]
    -speed [kb]

There are many registries created upon installation of the trojan, most of them are related to WinPCap installation. Registries unique to this trojan are mentioned below.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\CMD\DEBUG\Trace Level: ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MS-DOS Emulation\DisplayParams

Registry responsible for restarting the trojan on reboot is
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InternetEx

 

 
Symptoms -

Presence of aforementioned files and registry keys.
Unusual network activity of ARP requests.

 
Method of Infection -

Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc.
Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

McAfee
# Online Anti-Malware Scanners: http://scforum.info/index.php/topic,734.0.html

Samker's Computer Forum - SCforum.info

NetSniff
« on: 16. June 2007., 15:18:51 »




 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising