Vulnerability Development mailing list archives
Update: The Cleaner reports WinPCap contains WinRAT trojan
From: dumbwabbit <dumbwabbit () yahoo com>
Date: Sat, 16 Feb 2002 11:58:59 -0800 (PST)
Apologies to all for what looks like to be a false alert... here are the results of my further investigation: Although I have not heard back from MooSoft directly, they issued a new sig update for The Cleaner today. It shows "WinRAT - updated" as one of the new updates, and scans of all previously mentioned versions of WinPCap now do NOT show up as trojanized when scanned using the new sig update. Furthermore, I have conducted some testing, comparing MD5 checksums from versions of WinPCap from different file archives at my disposal, no difference. The WinPCap versions in question have also been scanned by others with Trend, Panda, F-Prot, all report all WinPCap versions as being clean. Leaving a "relatively" open pen testing system with WinPCap installed up, running, and exposed to the Internet for 2 days has yielded no suspicious TCP/IP traffic on the box (other than the standard incoming port scans, heh), no *questionable* ports opened, no changes to system files (box being monitored with GFI's LAN FileCheck). Reports from HandleEx, fport, RegMon, TDIMon, NetMon all look good. Furthermore, I used Ethereal to capture a full day's IP traffic to the exposed box... after analyzing this dump, I find no evidence of trojan activity (altho keep in mind that this is only one day's worth). Additionally, monitoring the exposed box with DeMarc shows no apparent trojan-type activity. I also performed several installations of WinPCap on different boxes using InControl5 (program installation monitor, freeware from PC Magazine), no suspicious registry entries or files created (other than the packet driver). As some here have pointed out, it was probably a false positive. Now I would say with 99.9% certainty that it was indeed a false positive. I apologize for cross-posting the issue, but as I said, I just wanted to make sure... as I know that many people do use WinPCap... Come to think of it, I now remember a colleague telling me several weeks ago that McAfee VirusScan with DAT 4183 (I think, might have been 4184) claims that NMapNT itself was a "generic" trojan... --- dumbwabbit <dumbwabbit () yahoo com> wrote:
Forgive the cross-posting, but I think this *may* merit it. WinPCap is a packet capture driver/architecture for Windows platform, allowing Windows users to do such things as run NMapNT, the NT port of Nmap. Upon scanning a file archive on one of my pen testing laptops, using the latest updated version of The Cleaner (a trojan AV product from MooSoft), The Cleaner reports that versions 2.01, 2.1, 2.2, and 2.3 beta, along with the Developer Pack of WinPCap are all infected with or contain the WinRAT (aka Windows Remote Administration Toolkit) client/server trojan. I "tested" this further by re-downloading the WinPCap files from the original website, located at:
http://netgroup-serv.polito.it/winpcap/install/default.htm
All files downloaded from this location scanned by The Cleaner are reported as containing WinRAT. I have sent copies of these files to MooSoft asking if they can verify this, and I have emailed the authors of WinPCap as well. That was 3 days ago. McAfee VirusScan 4.51 and 6, both with latest DATs (4186) do not find anything. I do not have access currently to Norton or Trend or another AV product. I also cannot find any helpful information about the WinRAT trojan online (MooSoft's description contains absolutely NO information regarding this trojan other than listing it - see http://www.moosoft.com/winrat.php). I have not yet heard back from WinPCap authors, nor MooSoft. Therefore, I would like to ask if anyone else can verify or disprove this "finding". __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com
__________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com
Current thread:
- The Cleaner reports WinPCap contains WinRAT trojan dumbwabbit (Feb 16)
- RE: The Cleaner reports WinPCap contains WinRAT trojan Brenna Primrose (Feb 16)
- Re: The Cleaner reports WinPCap contains WinRAT trojan Gideon Lenkey (Feb 16)
- Re: The Cleaner reports WinPCap contains WinRAT trojan Ryan Verner (Feb 16)
- Update: The Cleaner reports WinPCap contains WinRAT trojan dumbwabbit (Feb 16)
- <Possible follow-ups>
- Fwd: Re: The Cleaner reports WinPCap contains WinRAT trojan dumbwabbit (Feb 16)