Update: The Cleaner reports WinPCap contains WinRAT trojan

[dumbwabbit <dumbwabbit () yahoo com>]

Apologies to all for what looks like to be a false
alert... here are the results of my further
investigation:

Although I have not heard back from MooSoft directly,
they issued a new sig update for The Cleaner today. It
shows "WinRAT - updated" as one of the new updates,
and scans of all previously mentioned versions of
WinPCap now do NOT show up as trojanized when scanned
using the new sig update.

Furthermore, I have conducted some testing, comparing
MD5 checksums from versions of WinPCap from different
file archives at my disposal, no difference.

The WinPCap versions in question have also been
scanned by others with Trend, Panda, F-Prot, all
report all WinPCap versions as being clean.

Leaving a "relatively" open pen testing system with
WinPCap installed up, running, and exposed to the
Internet for 2 days has yielded no suspicious TCP/IP
traffic on the box (other than the standard incoming
port scans, heh), no *questionable* ports opened, no
changes to system files (box being monitored with
GFI's LAN FileCheck). Reports from HandleEx, fport,
RegMon, TDIMon, NetMon all look good. 

Furthermore, I used Ethereal to capture a full day's
IP traffic to the exposed box... after analyzing this
dump, I find no evidence of trojan activity (altho
keep in mind that this is only one day's worth).
Additionally, monitoring the exposed box with DeMarc
shows no apparent trojan-type activity.

I also performed several installations of WinPCap on
different boxes using InControl5 (program installation
monitor, freeware from PC Magazine), no suspicious
registry entries or files created (other than the
packet driver).

As some here have pointed out, it was probably a false
positive. Now I would say with 99.9% certainty that it
was indeed a false positive. I apologize for
cross-posting the issue, but as I said, I just wanted
to make sure... as I know that many people do use
WinPCap...

Come to think of it, I now remember a colleague
telling me several weeks ago that McAfee VirusScan
with DAT 4183 (I think, might have been 4184) claims
that NMapNT itself was a "generic" trojan...


--- dumbwabbit <dumbwabbit () yahoo com> wrote:
> Forgive the cross-posting, but I think this *may*
> merit it.
>
> WinPCap is a packet capture driver/architecture for
> Windows platform, allowing Windows users to do such
> things as run NMapNT, the NT port of Nmap.
>
> Upon scanning a file archive on one of my pen
> testing
> laptops, using the latest updated version of The
> Cleaner (a trojan AV product from MooSoft), The
> Cleaner reports that versions 2.01, 2.1, 2.2, and
> 2.3
> beta, along with the Developer Pack of WinPCap are
> all
> infected with or contain the WinRAT (aka Windows
> Remote Administration Toolkit) client/server trojan.
> I
> "tested" this further by re-downloading the WinPCap
> files from the original website, located at:
http://netgroup-serv.polito.it/winpcap/install/default.htm
> All files downloaded from this location scanned by
> The
> Cleaner are reported as containing WinRAT.
>
> I have sent copies of these files to MooSoft asking
> if
> they can verify this, and I have emailed the authors
> of WinPCap as well. That was 3 days ago.
>
> McAfee VirusScan 4.51 and 6, both with latest DATs
> (4186) do not find anything. 
> I do not have access currently to Norton or Trend or
> another AV product.
> I also cannot find any helpful information about the
> WinRAT trojan online (MooSoft's description contains
> absolutely NO information regarding this trojan
> other
> than listing it - see
> http://www.moosoft.com/winrat.php). 
> I have not yet heard back from WinPCap authors, nor
> MooSoft. Therefore, I would like to ask if anyone
> else
> can verify or disprove this "finding".
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Sports - Coverage of the 2002 Olympic Games
> http://sports.yahoo.com


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com