finding packets

SAy you suspect a computer to have a trojan installed on it and that trojan installed a packet sniffer on said computer to sniff your network. This packet sniffer causes the computer to save all the packets, right? Is there any way to locate the packets on the computer? How about detection of the packet sniffer itself, since it isn't considered spyware?

 

Yeah, aim for the trojan! Eliminating the root cause is often the best way to solve a problem, and usually the best ground to build on for improvement in the future.

To remove a trojan, visit the malware removal thread! If you follow it closely, you will come out with a clean system (or at least be in a state where someone can help you further), and have a excellent, redundant antivirus/antispyware defense.

 

As a practical side of things - no it wouldn't save ALL of the packets. Otherwise you'd have a huge spike in egress traffic that people would easily notice. I expect the sniffer would sniff packets and scan them for "interesting" bits. Like POP3 auths, HTTP auths, telnet passwords, ssh rsa fingerprints (maybe). It would then bundle these all together then send them to a central location where the attacker would then put the information into a database.

There would be no packets stored on the computer itself - since that'd be noticable (depending on your networking habits you could be seeing 2 or 3GB file after just a day - which is pretty obvious to an admin).

Usually they'll zip the "interesting" packets up and send them off periodically. It's tricky to detect where they're being sent to, since it'll only be a few packets buried in many megabytes of other packets, but if you use your own packet sniffer it's possible to filter out known traffic and work out where traffic is being sent to.

You can even generate your own "interesting" packets to coax these sniffers into revealing themselves.

But yeah, that was the long answer The best idea is to use a virus protection system of some kind to identify the process so you can prevent it from working.

 

Hmm... okay, thanks, so the packet sniffer would delete the packets on the infected computer? Okay, so there won't be any traces of the packets themselves. Thanks!

 

Well, it wouldn't store them at all. It's not really the packets you want to worry about, it's the trojan that you want to worry about - since that's the one compromising your security

 

I kinda know how to deal with the trojan, because of the link that I was given about malware removal, but I don't want someone finding the packets later on and seeing the passwords that were saved in the packets. Is this possible? Or am I just paranoid?

 

Most malware removal programs will identify files which were created by the trojan and delete them. You should be fine.