Of Trojan Horses, chatty devices, and Wireshark, part 1

One of the things that bugs me is wondering if at night some trojan horse on my mac is sending all my data to some Eastern Bloc hacker while I am sleeping. It strikes me that the best tool to look into this is the free network sniffer program, Wireshark. I also got a managed gigabit switch with port mirroring ($130) so I can see that the other computers in the home network are sending out into the world when we aren’t looking.

My router/firewall is configured for stealth mode, which means it will not respond to pings from outside, and it has stateful packet inspection. I am pretty confident that nobody can get in from the internet, except maybe for some back-door that the federal government secretly forced vendors to install on all routers… The only internet traffic allowed in the firewall is that which is part of an exchange initiated from the local network.

So I bring up Wireshark. First thing I notice is that the router is constantly broadcasting arps for non-existent IP addresses on the local network. I am wondering if this is the result of some internet traffic getting in, or maybe a bug in the router program. Also I wonder what sort of arp cache it has as it arps existing addresses every second or so as well. There is no router setting about how long the arp cache entries are kept, so nothing to be done.

I get a new router, and this seems a bit less chatty, at least in the arp department. Then I notice the router is emitting STP broadcasts. How cute, my 4 port switch on the back of the router wants to have a spanning tree protocol root bridge election. Just for the fun of it, I log into the managed switch and enable STP. By the time I get back to the Wireshark window, the STP broadcasts have stopped, so the switches must have already had their election.

Now the mac (mavericks) is constantly emitting broadcasts for things like network printers and other discovery protocols. As is too often the case with OSX, there is no user interface to shut these things off, and one has to fire up VI and turn off some daemons. Not a priority right now and I am not eager to delve into FreeBSD network configuration.

At this point, I am looking at a well behaved mac, chatty with its broadcasts, but nothing leaving the lan. Then I bring up Safari… Now I am seeing all sorts of TCP misbehavior with the outside world. TCP conversations initiated on the mac and going to ip addresses located in Ireland and various soviet countries. Packets are highlighted in red indicating protocol misbehavior such as out of sequence acks, and uncompleted TCP handshakes. Wireshark has no way of knowing what processes running on the mac are initiating network traffic, but I notice it goes away when Safari closes. I look at Safari a bit and see some sort of uninvited Safari extension has been installed.

I purchased some backup software online, and apparently the vendor was in the hacker’s paradise in Russia and Eastern Bloc countries–I learned after I made payment. I guess installing the program, which of course required administrator privileges to install, put its own little trojan horse in my browsers. I make a note to look for other inappropriate things this install may have slipped under the covers.

Once I deleted the Safari extension, the interior of the mac appeared to transmit nothing but the usual chatty local discovery broadcasts I mentioned before. Not a bad catch for the first couple of times I cast the net for Trojan Horses…