[ previous ] [ next ] [ threads ]
 From:  "Mohammed Ismail" <m dash ismail at link dot net>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: FW: [m0n0wall] malware HackTool.win32.ArpAttacker.3020
 Date:  Wed, 7 May 2008 06:44:40 +0300
in the beginning I though it would some one is missing up the network
but the ideas that I made arp table for one of the networks using DHCP to collect MACs 
and from m0n0wall ARP table , I find all IPs with same MAC, I compare it with my list to find the
attacker ,,
after that I thought every thing is ok, till I find another PC's MAC is being published and so
then my laptop got infected but KAspersky 6.0 got it, the name was the subject of this massage.
please take a loot at this article
Thanks in advance.
Mohammed Abd El Wadoud
Account Manager
Sharm El Sheikh
m dash ismail at link dot net


From: Lee Sharp [mailto:leesharp at hal dash pc dot org]
Sent: Wed 5/7/2008 6:18 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: Re: FW: [m0n0wall] malware HackTool.win32.ArpAttacker.3020

Mohammed Ismail wrote:
> all connections are wired Ethernet connections
> ADSL modem <<==>> wan int. m0n0wall LAN int. <<==>> Ethernet wired clients.
> all clients OS will be winxp
> and I cannot garantee good antivirus or firewalls on those PCs
> so I want m0n0 to keep sending his MAC address to all Clients to maintain connectivity between
clients and m0n0.
> the Trojan name was HackTool.win32.ArpAttacker.3020
> thanks allot

It is doing an arp poisoning attack.  It overloads the switch, and if
m0n0wall did the same it would fall over to a hub, and all the data will
still go to the compromised machine.  I understand that you don't have
access to the clients, but the only fix it to remove the bad client.
You may want to seal off the net to keep it from spreading as well.


To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch