finding packets

[kurokage]

Okay, I have a question. Say you suspect a computer to have a trojan installed on it and that trojan installed a packet sniffer on said computer to sniff your network. This packet sniffer causes the computer to save all the packets, right? Is there any way to locate the packets on the computer? How about detection of the packet sniffer itself, since it isn't considered spyware?

I'm not worried about the trojan, I think I know how to get rid of it. My question more pertains to the packet sniffer. Does it save the packets on the infected computer? If so, can someone down the line access those packets and see the passwords and browsing information the packet sniffer obtained? I'm just kind of paranoid.

[nihil]

Hi,

How about detection of the packet sniffer itself, since it isn't considered spyware?

Get the latest versions of A-Squared and Ewido. Update them and run them in safe mode

Be sure to check all 4 boxes in the A-Suared scan settings. I particular "riskware" and "unknown malware" but be careful, you may get false positives with aggressive heuristic scans.

"Riskware will show up stuff like John the Ripper, nmap and so on that are not malware unless you didn't install them yourself

[dmorgan]

Most sniffer/keyloggers etc... store the logs on a local file until it either
a) reaches a certain size or
b) certain amount of time has passed.
(there may be other triggers, too. Like visiting citibank.com)
It really depends on what was put there, and where that particular packet sniffer hides its data, and keep in mind, the data could be encrypted.

Correct me if I'm wrong, but dont must packet sniffers operate at the physical layer ?

[kurokage]

Wait, so they aren't stored on the infected computer? Or they are automatically deleted? I'm confused. Btw, what exactly is a "local file?"

[preacherman481]

Hi,

Wait, so they aren't stored on the infected computer? Or they are automatically deleted? I'm confused. Btw, what exactly is a "local file?"

Actually, that's what dmorgan is telling you. The files are stored on the "infected" computer until one of the things dmorgan notes takes place (I'm not an expert on this. I'm just trying to clarify what I think you are being told). A "local file" is a file on the target computer (what you are calling the "infected" computer).

Local file: file on a computer you are using.
remote file: file on another computer.

If a person installs a packet sniffer with a log file on your computer, the log file would be a "remote file" to him/her but a "local file" to you. Make sense?

[kurokage]

okay... so they are saved and then deleted, I take it. So you can't find the packets? I'm still slightly confused........

[preacherman481]

Just curious, are you asking these questions because you think you have a sniffer installed? Or are you just asking hypothetical questions for your own information?

If you think you do have a sniffer installed, what Operating System are you using?

f so, can someone down the line access those packets and see the passwords and browsing information the packet sniffer obtained? I'm just kind of paranoid.

To answer this question: Yes. Otherwise, it would be kind of useless to install a packet sniffer

[kurokage]

I think that there may be one installed, but that might just be paranoia. I'm asking so that I can find out for certain. I also am really paranoid and don't want the user of the infected computer to be able to acess passwords and browsing history of the other computers on the network, so I want to make sure there are no packets stored on the computer.

[preacherman481]

What operating system is the possibly infected computer using?

[kurokage]

XP. By the way, thanks for all your help.