Re: Can trojan bypass sniffer?
From: Mark (noemail@noemail.com)
Date: 12/01/02
- Next message: David: "Re: Recommends for Win2k Server firewall."
- Previous message: David: "Re: Port 119 blocked at work and I want it opened"
- In reply to: Matthew Murphy: "Re: Can trojan bypass sniffer?"
- Next in thread: UNIX Dude: "Re: Can trojan bypass sniffer?"
- Reply: UNIX Dude: "Re: Can trojan bypass sniffer?"
- Reply: Matthew Murphy: "Re: Can trojan bypass sniffer?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Mark" <noemail@noemail.com> Date: Sun, 1 Dec 2002 11:56:09 -0800
> TCP stack evasion doesn't work for a good sniffer, because sniffers don't
> sniff the TCP stack, they sniff the actual traffic at the level of the
> network adapter. Therefore, going directly to the adapter simply makes
the
> sniffer's job easier. :-)
>
How about dial-up modem internet on W2K? Where sniffer hooks up there? Also,
there are some viruses that replace tcp/ip library with their own and virus
is in tcp/ip library - simply cloning regular communication and sending it
to some address. What is the method to detect that reliably?
( from
http://securityresponse.symantec.com/avcenter/venc/data/fix.happy99.worm.htm
l : Happy99.Worm modifies WSOCK32.DLL to hook the mail-sending and newsgroup
article-posting routines. )
My concern is real - i had virus on win nt4 dial-up modem box (guys that
sent it to me - coworkers- were telling reliably fro days which web pages i
visited a day before home), antivirus (norton) didn't tell anything, which
is ok since guys are programmers- made their own, i was unable to see
anything in zonealarm (ok, it can be smart one- hooks to some process, like
IE), and i tried to sniff it with blackice. Several hours of sniffing - but
can not see anything in log. Maybe is periodically activated, or too low? I
want to be sure that I am logging all trafic.
- Next message: David: "Re: Recommends for Win2k Server firewall."
- Previous message: David: "Re: Port 119 blocked at work and I want it opened"
- In reply to: Matthew Murphy: "Re: Can trojan bypass sniffer?"
- Next in thread: UNIX Dude: "Re: Can trojan bypass sniffer?"
- Reply: UNIX Dude: "Re: Can trojan bypass sniffer?"
- Reply: Matthew Murphy: "Re: Can trojan bypass sniffer?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
