This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I was told recently that certain malware or virus could bypass WireShark making their activity invisible. Is this claim correct? If it is correct, is there a list of the known malware?

asked 09 Oct '13, 04:40

TimRC's gravatar image

TimRC
16113
accept rate: 0%


I was told recently that certain malware or virus could bypass WireShark m

Never heard of that and I don't believe it makes any sense to do that. Why should a malware developer take the effort to hide from Wireshark? To prevent network analysis of his malware? Well, that's kind of a silly argument, because I just need to run Wireshark off-box (as @Jasper already mentioned) or run the malware in a virtual machine an then capture the traffic of the virtual machine. To sum it up: It makes no sense at all for a malware author to invest time into "Wireshark stealth code", as it is too easy to circumvent that 'stealth' mode.

I suggest you ask the person how told you that for a proof of his statement, like the name of the malware, etc. Only then we can take a look at that malware and speculate why the malware author might have implemented it.

Regards
Kurt

permanent link

answered 09 Oct '13, 06:08

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

The malware/virus was Autorun.gen!A, frethog.f, and Taterf.gen!E. McAfee doesn't mention any intention of these evade detection beyond a normal virus or malware. The last two are known to use port 80 as a destination. The last one, also, has an IP address associated with its activity. They don't appear to go to any extraordinary efforts to mask any activity. I don't believe they can evade WireShark from the documenation that i have found.

(09 Oct '13, 07:01) TimRC

It depends on where Wireshark is capturing data. If you capture on the PC that is infected it may be possible that Wireshark does not see everything it should. This is basically true for any kind of diagnostic software that believes what the infected OS is reporting.

If Wireshark is capturing on a known-clean PC that is receiving the packets via TAP or SPAN port then no, they can run but cannot hide.

permanent link

answered 09 Oct '13, 05:02

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Thank you for your insight.

(09 Oct '13, 06:48) TimRC
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×86
×27
×1

question asked: 09 Oct '13, 04:40

question was seen: 5,130 times

last updated: 09 Oct '13, 07:01

p​o​w​e​r​e​d by O​S​Q​A