finding packets

[brokencrow]

Just do a search for all the files that have changed in the last day. You'll have a long list, but your packet file will be in there.

Can't say I ever heard of a sniffer trojan...

[Eyecre8]

I agree with Brokencrow in that I haven't heard of a trojan with packet sniffing capabilities.
Maybe Kurokage means keylogger instead of of sniffer?

Regardless, the idea of incorperating a network packet sniffer into a trojan is an interesting idea.
A way to expand the trojan's snooping capabilities beyond the local machine to a network segment (assuming the machine is on a network).

Imagine if the trojan incorperated something similar to EffeTechs PassDetect - Ace Password Sniffer
(Currently Ace Password Sniffer can monitor and capture passwords through FTP, POP3, HTTP, SMTP, Telnet, including some web mail password.)

Granted, the trojan would be pretty large, unless it was configured to pull additional modules from a remote location.... food for thought.

[preacherman481]

I agree with Brokencrow in that I haven't heard of a trojan with packet sniffing capabilities.
Maybe Kurokage means keylogger instead of of sniffer?

Hi, if a cracker has had access through a trojan, wouldn't that allow them to install a sniffer?

Kurokage:
A packet sniffer being used to sniff a network will put a computer's network card into what is called "promiscuous mode." Here is a freeware tool whose author claims it can detect if a Windows computer's NIC (Network Interface Card) is running in promiscuous mode. http://www.ntsecurity.nu/toolbox/promiscdetect/ But don't rely on this alone. There are other ways/tools for detecting sniffers. Try a Google search for "detecting packet sniffers" for other tools and articles that will educate you on the topic.

You might just want to try the tools that Nihil mentioned first (if you haven't). If you have do have a trojan installed the best course might be to not worry about the sniffer. Just go ahead and reinstall your OS. If a computer has been trojaned it would be best not to trust that installation. As far as what kinds of files might be safe to salvage from your old installation, someone else will need to advise you on that. And, if you suspect that this computer is trojaned you have already isolated it from the rest of your network (haven't you)? See this thread.

[thehorse13]

I agree with Brokencrow in that I haven't heard of a trojan with packet sniffing capabilities.
Maybe Kurokage means keylogger instead of of sniffer?

How long have you guys been in the security sector? Rootkits anyone?

Indeed trojans can and have been observed with sniffing capabilities, both manual and automatic.

That said, you can expect a trojan with sniffing capabilities to operate similarly to a keylogging tool with the exception of the NIC operating in permiscuous mode (sniffer).
1) It will collect data.
2) It will save it locally awaiting retrieval from the attacker or it will auto send the contents based on some pre-defined logic.
3) If the attacker is smart, the local file will be destroyed after the above has happened.

So the answer to your question is, "it depends".

Now, one thing has to happen in order for any of this to work. Your host has to either accept or initiate connections. I would start by identifying ways to monitor unusual processes and/or connections. This sounds simple but is fairly involved. Don't forget to monitor HTTP, HTTPS and your e-mail protocols, as these channels provide plenty of white noise for attackers to ship out the goods without you noticing.

--TH13

[preacherman481]

Don't forget to monitor HTTP, HTTPS and your e-mail protocols, as these channels provide plenty of white noise for attackers to ship out the goods without you noticing.

Wouldn't netstat be a good way to do this?

[thehorse13]

It would if you have assurance that you're not running a trojaned version of the tool. Some advanced attackers replace vital system tools with their own version, which of course masks their processes. The limitation with this tool is that it's not realtime. I like to use tools such as TCPView, which provides realtime views of the system.

If I suspect a rooted host, I use a trusted forensic toolkit for analysis. I *never* trust tools on the suspect host.

--Th13

[phishphreek]

Originally posted here by preacherman481
Wouldn't netstat be a good way to do this?

Maybe, maybe not. It depends on the attack. You have to assume that you don't have a clean system. You can't trust your binaries or APIs. If there is a rootkit... it's job is to hide itself.

You have to use forensice toolkits with binaries you can trust.

There are plenty of toolkits out there. You can use toolkits live before you take it offline for further analysis. As, there may be importatnt data in memory that can be lost when you power off.

Check out some of the following links for more info on toolkits.

http://www.forensics.nl/toolkits

I like the live cds that will run while the system is up, and then you can reboot to the live cd for further analysis. Helix has been my favorite forensics boot cd thus far.

http://www.e-fense.com/helix/index.php

Mind you, I'm no forensics expert. I just know a bit here and there from books I've read or tools I've played with.

Incident responce is one of the books I have. Though, I only have the first edition...
http://www.amazon.com/gp/product/007...Fencoding=UTF8

[Eyecre8]

Hi, if a cracker has had access through a trojan, wouldn't that allow them to install a sniffer?

Of course... they could install virtually anything themselves. I was referring to something a little more automated though. Maybe even wormlike in autonomous terms

How long have you guys been in the security sector? Rootkits anyone?

Let me clarify my comment a tad....I was stating that I had not seen a trojan (in the classic sense) that had a built in network sniffer. That did appear to be what Kurokage was referring to originally in this thread and not rootkits. I could be mistaken. *shrugs*
You don't have to explain that once a backdoor has been established (and assuming the attacker has half a clue) that anything can be installed on that machine, including rootkits.

And to answer your question as to how long I have been in the security sector, the answer would be "Not long enough" or "not nearly as long as you" ; )
But I am in for the long haul.... thanks for asking.

[thehorse13]

And to answer your question as to how long I have been in the security sector, the answer would be "Not long enough" or "not nearly as long as you" ; )
But I am in for the long haul.... thanks for asking.

Actually, I just read my post and just to clarify, I wasn't attempting to be a wise guy as it may appear by the wording.

I was referring to something a little more automated though. Maybe even wormlike in autonomous terms

There are dozens of documented worms that do this. Maybe hundreds by now. Depending upon where you go, they *may* be classified as "system monitors".

The industry lacks a good framework for naming and classifying these things. This of course causes a lot of issues amongst the nerd community.

--Th13

[Eyecre8]

The industry lacks a good framework for naming and classifying these things. This of course causes a lot of issues amongst the nerd community.

Agreed, in fact, there was an absurdly long thread not to long ago disputing the difference between a RAT's and a TROJANs. Lots of different opinions and definitions.

When Kurokage mentioned there might be a trojan on the system and that he/she could handle/get rid of it, thoughts of classic trojans like netbus, sub7, B.O. came to mind. Considering Kurokage has stated (in his/her profile) that he/she isn't very computer literate, I don't surmise that he/she would know how to get rid of a rootkit if indeed one was on the system.


TH - you mentioned you *never* trust tools on the suspected host... and I understand that if a rootkit was installed that it can intercept system calls and other processes so the application or tool running may return false results. What are your opinions of programs like Sysinternal's RootkitRevealer and F-Secures Blacklight? Or should that question be saved for a seperate thread?