Re: Can trojan bypass sniffer?

From: Don Kelloway (dkelloway@commodon.com)
Date: 12/02/02


From: "Don Kelloway" <dkelloway@commodon.com>
Date: Mon, 02 Dec 2002 06:38:04 GMT

Unless configured otherwise via a ruleset/filter within the application
itself, a sniffer is designed to capture ALL traffic originating from within
the same system. The keywords in this statement, is "unless configured
otherwise". In other words, if the sniffer has been configured to only
capture traffic of a certain protocol and the trojan in question is designed
to utilize a protocol that the sniffer hasn't been configured to capture,
then the trojan's traffic will go unnoticed.

--
Best Regards,
Don Kelloway
Commodon Communications
Visit http://www.commodon.com to learn about Back Orifice, NetBus, SubSeven,
etc.  All of which are "Threats to Your Security on the Internet".
"Mark" <noemail@noemail.com> wrote in message
news:uuhtf79lce7c79@corp.supernews.com...
> By now we all know that there are techniques to bypass personal firewall
> (http://www.pcflank.com/art21.htm ). What is the situation with sniffers -
> network monitoring programs on running on the same machine? Q1) Would they
> ALWAYS log traffic in and out of pc?
>
> Q2) For example, if I am running sniffer (let's say CommView or use
BlackIce
> to log traffic ) on the same machine, and suspect that I have Trojan with
> emailing ability on my system, is it sufficient to just examine captured
> frames for emails (smtp/pop3 traffic) to make sure that I do not have
> Trojan?
>
>  Q3) Question becomes where exactly typical sniffer hooks on network
stack,
> and can Trojan bypass it (for example Trojan could have it's own
tcp-socket
> library ).
>
>  Q4) Are there other methods except emails that Trojans use to deliver for
> example logged keystrokes, and what are they - how to recognize them with
>  sniffer?
>
>  There are sniffers that capture and decode emails - that  means already
> filter traffic during capture and decode it
> (http://www.zoranjuric.com/mailexposer/ ). Q5) If we assume that dominant
> method used by key loggers is to send emails with logs, could such
programs
> be used for emailing-keylogger Trojan detection and how reliable would
that
> be?
>
>  Mark
>
>
>


Relevant Pages

  • Can trojan bypass sniffer?
    ... network monitoring programs on running on the same machine? ... if I am running sniffer (let's say CommView or use BlackIce ... frames for emails to make sure that I do not have ... and can Trojan bypass it (for example Trojan could have it's own tcp-socket ...
    (comp.security.firewalls)
  • Re: Can trojan bypass sniffer?
    ... > By now we all know that there are techniques to bypass personal firewall ... if I am running sniffer (let's say CommView or use ... > to log traffic) on the same machine, and suspect that I have Trojan with ... > frames for emails to make sure that I do not have ...
    (comp.security.firewalls)
  • RE: That dont look good!
    ... > the capture stopped. ... there are entries in the firewall log ... >first and third times I had the sniffer going. ...
    (Focus-Linux)
  • Re: Intrushield vs. ISS once more...
    ... networks the problem is building a cost effective solution. ... remember going out and getting the latest packet sniffer some time ago. ... It was the latest 10 Gigabit Ethernet Sniffer that captured less then ... the capture - which was REALLY frustrating. ...
    (Focus-IDS)
  • Re: Sniffer information to track LSASS activity.
    ... > I have a sniffer capturing packets sent to this machine, however, since ... > DC also provides DNS and WINS functionality besides being a DC, ... A good sniffer will let you write a filter on what traffic you capture ...
    (microsoft.public.win2000.security)