[Winpcap-users] Wincap and fake packages

Gianluca Varenni gianluca.varenni at cacetech.com
Fri May 23 23:20:23 GMT 2008


----- Original Message ----- 
From: "Alexander Nicolaysen Sørnes" <alex at thehandofagony.com>
To: <winpcap-users at winpcap.org>
Sent: Thursday, May 22, 2008 5:04 PM
Subject: [Winpcap-users] Wincap and fake packages


> Hello,
>
> I'm investigating what appears to be a rootkit that has found its way onto 
> a
> friend's machine.  It's targeting the AIM messaging program on Windows. 
> It
> appears that it's able to block conversations, while at the same time 
> being
> able to send out spam to a user's AIM contacts.
>
> Using Wireshark I can see outgoing packets when I try to send a message, 
> but
> AIM tells me the contact is unable to receive offline messages (even 
> though
> the contact is online).  The connection uses TLS and so I'm unable to see
> what the messages read.
>
> Would it be possible for the rootkit to cause wireshark to record packets 
> that
> aren't actually being sent?
>
>

Yes. WinPcap uses a protocol driver to capture packets. A protocol driver 
sits on top on the networking stack. Entities like an NDIS intermediate 
driver (or some NDIS hook driver) can definitely modify the packets before 
they get trasmitted on the wire.

Have a nice day
GV


> Regards,
>
> Alexander N. Sørnes
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users 



More information about the Winpcap-users mailing list