This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Intrusion attempts when using WireShark

0

I recently tried WireShark for some days. Later, my antivirus suite (Symantec) reported three blocked intrusion attempts into my system (Windows 7) on exactly those three consecutive days I used the software. They were categorized as "Web Attack: Exploit Kit Variant 2" and all came from some St. Petersburg IP (31.184.192.8). I didn't install any other new software during those days (apart wrom the WinPCap installed during WireShark setup).

Did anybody else notice something like that? Does WireShark maybe open some port which attracts attacks like that?

asked 27 Feb '12, 02:37

volltonfarbe's gravatar image

volltonfarbe
1112
accept rate: 0%


One Answer:

0

Did you use an installer downloaded from www.wireshark.org? Then there should not have been any malware included.

But if you downloaded it from somewhere else, then yes, it could be that someone attached some malware to the installer. Gerald posted about it on the Wireshark Blog

answered 27 Feb '12, 03:17

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I downloaded the file from the the official webpage, which gave me the following download link: http://wiresharkdownloads.riverbed.com/wireshark/win64/wireshark-win64-1.6.5.exe . I checked the files' checksums, and the checksums signature, it does verify.

I was just wondering if running the software does open some ports that are usually closed, or performs some other action that makes the computer more 'visible' for potential attackers. It might be mere coincidence, of course, but I found it strange that this happened exactly on those days that I used the software.

(27 Feb '12, 04:14) volltonfarbe