The Register®

Original URL: http://www.theregister.co.uk/2004/09/14/network_sniffer_worm/

Virus writers add network sniffer to worm

Hybrid risks from potent malware

By John Leyden

Posted in Malware, 14th September 2004 11:18 GMT

Free whitepaper – SPECjbb2005 performance and power consumption on Dell, HP, and IBM blade servers

Virus writers have grafted a network sniffer into the latest variant of the SDBot worm series.

So far there are no reports of SDBot-UH (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.UH&VSect=T) in the wild but the inclusion of selective network sniffing along with keystroke logging features and other backdoor capabilities has security researchers worried.

Sniffers (http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci213016,00.html) are designed to monitor network traffic. They are widely used for network performance diagnostics but in this instance their function has been turned to malign purposes. Bundling a network sniffer with an auto-propagating worm makes it easier for hackers to harvest usernames and passwords than would otherwise be the case.

The sniffing capabilities of SDBot-UH worm focus on phrases associated with network logins and Paypal accounts. It also tries to steal the CD keys of games, according to an advisory (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.UH&VSect=T) by AV firm Trend Micro. Patrick Nolan, a security researcher at the Internet Storm Center, warns (http://isc.sans.org/diary.php?date=2004-09-12): "If the Trojans described by Trend can successfully transmit the filter's packet captures back to the owner, they are going to cause problems well beyond typical bot infestation issues."

SDBot-UH uses a variety of well-known Microsoft exploits to spread. It also looks for weak usernames and passwords to gain access to target machines. Malicious sniffers can be difficult to detect but Netcraft points (http://news.netcraft.com/archives/2004/09/13/new_worm_installs_network_traffic_sniffer.html) to a number of tools such as Sentinel and AntiSniff that can be used to detect sniffers on a network. Individual users would do well to check that their network card is not set in promiscuous (sniffing) mode. ®

Related stories

Meet Stumbler: Next Gen port scanning malware (http://www.theregister.co.uk/2003/06/20/meet_stumbler_next_gen_port/)
Gizza job, virus writers ask AV industry (http://www.theregister.co.uk/2004/09/10/mydoom_job_plea/)
Telenor takes down 'massive' botnet (http://www.theregister.co.uk/2004/09/09/telenor_botnet_dismantled/)