I was told recently that certain malware or virus could bypass WireShark making their activity invisible. Is this claim correct? If it is correct, is there a list of the known malware? asked 09 Oct '13, 04:40  TimRC |
2 Answers:
Never heard of that and I don't believe it makes any sense to do that. Why should a malware developer take the effort to hide from Wireshark? To prevent network analysis of his malware? Well, that's kind of a silly argument, because I just need to run Wireshark off-box (as @Jasper already mentioned) or run the malware in a virtual machine an then capture the traffic of the virtual machine. To sum it up: It makes no sense at all for a malware author to invest time into "Wireshark stealth code", as it is too easy to circumvent that 'stealth' mode. I suggest you ask the person how told you that for a proof of his statement, like the name of the malware, etc. Only then we can take a look at that malware and speculate why the malware author might have implemented it. Regards answered 09 Oct '13, 06:08  Kurt Knochner ♦ |
It depends on where Wireshark is capturing data. If you capture on the PC that is infected it may be possible that Wireshark does not see everything it should. This is basically true for any kind of diagnostic software that believes what the infected OS is reporting. If Wireshark is capturing on a known-clean PC that is receiving the packets via TAP or SPAN port then no, they can run but cannot hide. answered 09 Oct '13, 05:02  Jasper ♦♦ Thank you for your insight. (09 Oct '13, 06:48) TimRC |
The malware/virus was Autorun.gen!A, frethog.f, and Taterf.gen!E. McAfee doesn't mention any intention of these evade detection beyond a normal virus or malware. The last two are known to use port 80 as a destination. The last one, also, has an IP address associated with its activity. They don't appear to go to any extraordinary efforts to mask any activity. I don't believe they can evade WireShark from the documenation that i have found.