Packet Capture
In this article, we shall cover the basic working of a sniffer, to capture packets for analyzing the traffic. If an analyst does not have working skills of a packet sniffer to a certain level, it is really hard to defend intrusions. This article would help the analyst to prepare to the level of what is required for basic packet collection and basic analysis, but not everything about sniffers. An in depth article on sniffer’s using packet crafting and packet capture will be coming soon. In this document we are using Wireshark Version 0.99.5 (SVN Rev 20677).

What you will learn…

• Introduction to Sniffer
• Capturing Traffic
• Wireshark basics: The different panes

SECURITY TIPS

• lock your device with a password. If possible use a “strong alphanumeric” password that utilizes a combination of upper and lower case letters, and special symbols (see below for Dell Axim).
• try not to put too much private information on your device, e.g. credit card numbers, social security numbers, passwords to this kind of information.
• if you do need to put passwords and usernames for various accounts on your device, consider using password management software in addition to locking your device. Recommended software includes: RoboForm http://www.roboform.com/ or SplashID http://www.splashdata.com/splashid/
• turn off your wireless when you’re not using it, especially Bluetooth. Bluetooth is used to set up short-range networks – connecting multiple devices like PDAs, laptops, cell phones, etc. with one another. Leaving it on in public places could allow unscrupulous users to access your data on your mobile device.

PASSWORD PROTECTING THE DELL AXIM

Reinstall your operating system
If the previous step failed to clean your computer, the most effective option is to wipe or format the hard drive and reinstall the operating system. Although this corrective action will also result in the loss of all your programs and files, it is the only way to ensure your computer is free from backdoors and intruder modifications.

Many computer vendors also offer a rescue partition or disc(s) that will do a factory restore of the system. Check your computer’s user manual to find out whether one of these is provided and how to run it.

Before conducting the reinstall, make a note of all your programs and settings so that you can return your computer to its original condition.
It is vital that you also reinstall your antivirus software and apply any patches that may be available. Consult “Before You Connect a New Computer to the Internet” for further assistance.

Attack Description

Once a trojanised attachment is opened, the remote attacker may use it as a launchpad to gain full control of the user’s machine. A compromise poses a threat to the confidentiality, integrity and availability of data stored on the computer and its associated networks. It could also be used to launch attacks against other networks.

Files used by the attackers are often publicly available on the Web or have been sent to distribution lists. The attackers are able to receive, trojanise and resend a document within 120 minutes of its release, indicating a high level of sophistication.

The trojanised files can be common types such as databases, documents, executables (.exe) and help files (.chm) and are often compressed (.zip or .rar). The files exploit known software vulnerabilities to install a trojan on the user’s computer.

How do they know when the user has gone to a site?
As said, banking trojans filter out useless data – or more precisely, they only capture interesting data from banking activity. This means that the trojan has to know when the user is banking online. It is very common for the trojan only to monitor what the web browser is doing and where it is going. Banking trojans today use the following means of determining where the user is surfing:

• Hooking (e.g. inline hooks on WinInet API functions)
• BHO (Browser Helper Object) interface [4]
• Window title enumeration (e.g. FindWindow() [5])
• DDE [6]
• Other COM (Component Object Model) / OLE (Object Linking and Embedding) interfaces
• Firefox browser extensions
• LSP (Layered Service Provider) interface [7]

As a fairly conventional example, Banker.ark [8] steals logon credentials related to some Brazilian banks by logging keystrokes when the internet browser title bar contains a string that is on its filter list.

Potential Gain:
To successfully alter the tabulated vote from some or all DRE’s in a county. A Trojan Horse attack would not have to explicitly reverse the recorded outcome of an election (e.g., create a republican victor in a predominantly democratic district) to be successful. It may be sufficient to simply alter a few undervotes, or reduce the margin of victory by a few votes. This would also be useful in voting events where a simple majority was not the determinate state, but where a ratio of votes (e.g., electing candidates across multiple possible positions, or as the basis for determining electoral representation) would be of enough interest to motivate the attackers.