[ISN] Virus writers add network sniffer to worm

InfoSec News isn at c4i.org
Wed Sep 15 01:56:57 EDT 2004


By John Leyden
14th September 2004 

Virus writers have grafted a network sniffer into the latest variant
of the SDBot worm series.

So far there are no reports of SDBot-UH in the wild but the inclusion
of selective network sniffing along with keystroke logging features
and other backdoor capabilities has security researchers worried.

Sniffers are designed to monitor network traffic. They are widely used
for network performance diagnostics but in this instance their
function has been turned to malign purposes. Bundling a network
sniffer with an auto-propagating worm makes it easier for hackers to
harvest usernames and passwords than would otherwise be the case.

The sniffing capabilities of SDBot-UH worm focus on phrases associated
with network logins and Paypal accounts. It also tries to steal the CD
keys of games, according to an advisory by AV firm Trend Micro.  
Patrick Nolan, a security researcher at the Internet Storm Center,
warns: "If the Trojans described by Trend can successfully transmit
the filter's packet captures back to the owner, they are going to
cause problems well beyond typical bot infestation issues."

SDBot-UH uses a variety of well-known Microsoft exploits to spread. It
also looks for weak usernames and passwords to gain access to target
machines. Malicious sniffers can be difficult to detect but Netcraft
points to a number of tools such as Sentinel and AntiSniff that can be
used to detect sniffers on a network. Individual users would do well
to check that their network card is not set in promiscuous (sniffing)  

More information about the ISN mailing list