[Winpcap-users] Wincap and fake packages
Alexander Nicolaysen Sørnes
alex at thehandofagony.com
Fri May 23 00:04:26 GMT 2008
Hello,
I'm investigating what appears to be a rootkit that has found its way onto a
friend's machine. It's targeting the AIM messaging program on Windows. It
appears that it's able to block conversations, while at the same time being
able to send out spam to a user's AIM contacts.
Using Wireshark I can see outgoing packets when I try to send a message, but
AIM tells me the contact is unable to receive offline messages (even though
the contact is online). The connection uses TLS and so I'm unable to see
what the messages read.
Would it be possible for the rootkit to cause wireshark to record packets that
aren't actually being sent?
Regards,
Alexander N. Sørnes
More information about the Winpcap-users
mailing list