Apologies to all for what looks like to be a false alert... here are the results of my further investigation: Although I have not heard back from MooSoft directly, they issued a new sig update for The Cleaner today. It shows "WinRAT - updated" as one of the new updates, and scans of all previously mentioned versions of WinPCap now do NOT show up as trojanized when scanned using the new sig update. Furthermore, I have conducted some testing, comparing MD5 checksums from versions of WinPCap from different file archives at my disposal, no difference. The WinPCap versions in question have also been scanned by others with Trend, Panda, F-Prot, all report all WinPCap versions as being clean. Leaving a "relatively" open pen testing system with WinPCap installed up, running, and exposed to the Internet for 2 days has yielded no suspicious TCP/IP traffic on the box (other than the standard incoming port scans, heh), no *questionable* ports opened, no changes to system files (box being monitored with GFI's LAN FileCheck). Reports from HandleEx, fport, RegMon, TDIMon, NetMon all look good. Furthermore, I used Ethereal to capture a full day's IP traffic to the exposed box... after analyzing this dump, I find no evidence of trojan activity (altho keep in mind that this is only one day's worth). Additionally, monitoring the exposed box with DeMarc shows no apparent trojan-type activity. I also performed several installations of WinPCap on different boxes using InControl5 (program installation monitor, freeware from PC Magazine), no suspicious registry entries or files created (other than the packet driver). As some here have pointed out, it was probably a false positive. Now I would say with 99.9% certainty that it was indeed a false positive. I apologize for cross-posting the issue, but as I said, I just wanted to make sure... as I know that many people do use WinPCap... Come to think of it, I now remember a colleague telling me several weeks ago that McAfee VirusScan with DAT 4183 (I think, might have been 4184) claims that NMapNT itself was a "generic" trojan... --- dumbwabbit <dumbwabbitat_private> wrote: > Forgive the cross-posting, but I think this *may* > merit it. > > WinPCap is a packet capture driver/architecture for > Windows platform, allowing Windows users to do such > things as run NMapNT, the NT port of Nmap. > > Upon scanning a file archive on one of my pen > testing > laptops, using the latest updated version of The > Cleaner (a trojan AV product from MooSoft), The > Cleaner reports that versions 2.01, 2.1, 2.2, and > 2.3 > beta, along with the Developer Pack of WinPCap are > all > infected with or contain the WinRAT (aka Windows > Remote Administration Toolkit) client/server trojan. > I > "tested" this further by re-downloading the WinPCap > files from the original website, located at: > http://netgroup-serv.polito.it/winpcap/install/default.htm > All files downloaded from this location scanned by > The > Cleaner are reported as containing WinRAT. > > I have sent copies of these files to MooSoft asking > if > they can verify this, and I have emailed the authors > of WinPCap as well. That was 3 days ago. > > McAfee VirusScan 4.51 and 6, both with latest DATs > (4186) do not find anything. > I do not have access currently to Norton or Trend or > another AV product. > I also cannot find any helpful information about the > WinRAT trojan online (MooSoft's description contains > absolutely NO information regarding this trojan > other > than listing it - see > http://www.moosoft.com/winrat.php). > I have not yet heard back from WinPCap authors, nor > MooSoft. Therefore, I would like to ask if anyone > else > can verify or disprove this "finding". > > __________________________________________________ > Do You Yahoo!? > Yahoo! Sports - Coverage of the 2002 Olympic Games > http://sports.yahoo.com __________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com
This archive was generated by hypermail 2b30 : Sat Feb 16 2002 - 20:09:08 PST