Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/cache.php on line 36

Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/query.php on line 21

Deprecated: Assigning the return value of new by reference is deprecated in /home/teamfurr/public_html/wordpress/wp-includes/theme.php on line 508

Deprecated: Function split() is deprecated in /home/teamfurr/public_html/wordpress/wp-content/plugins/inspector-wordpress/InspectorWordpress.php on line 110
MW-Blog » Blog Archive » zxarps

zxarps

There’s a nifty (or nasty, depends on which side you are on) tool being offered for download. The tool (called zxarps) is a hacking tool mostly used in China.

The only english hit for the tool is a description on McAfee’s website. The tool, even though not malicious itself, can be used for malicious purposes. It need winpcap to be installed on the machine, and it uses the winpcap to sniff network data, poison ARP caches and modify webpages on the fly. So, basically, it a tool to perform MITM (Man In The Middle) attacks.

When run without any parameters, here’s the output:

[SNIP]

zxarps.exe

0. VMware Virtual Ethernet Adapter
IP Address. . . . . : 192.168.140.1
Physical Address. . : 00-50-56-C0-00-01
Default Gateway . . : N/A

1. VMware Virtual Ethernet Adapter
IP Address. . . . . : 192.168.186.1
Physical Address. . : 00-50-56-C0-00-08
Default Gateway . . : N/A

2. Broadcom NetXtreme Gigabit Ethernet Driver (Microsoft’s Packet Scheduler)
IP Address. . . . . : xx.xx.xx.xx
Physical Address. . : 00-14-38-C2-7F-9C
Default Gateway . . : xx.xx.xx.x
options:
-idx [index]
-ip [ip]
-sethost [ip]
-port [port]
-reset
-hostname
-logfilter [string]
-save_a [filename]
-save_h [filename] HEX
-hacksite [ip]
-insert [html code]
-postfix [string]
-hackURL [url]
-filename [name]
-hackdns [string]
-Interval [ms]
-spoofmode [1|2|3]
-speed [kb]
zxarps Build 01/17/2007 By LZX.

[/SNIP]

If someone who can read chinese wants to help out as a translator, please contact me toni(_at_)teamfurry.com.

As mentioned above, the tool required winpcap to be installed on the machine. By default a Windows installation does not contain winpcap. This ofcourse hasn’t stopped the bad guys from utilizing the tool, installing the required libraries through another malware already present on the machine.

3 Responses to “zxarps”

  1. Old Chinese Hack Tool Used for New Tricks « Webroot Threat Blog Says:

    […] most malware we see these days, ZXArps (which dates back to 2006, and was discovered by the English-speaking security community the following year) isn’t designed to perform a single task. It’s more like a Swiss […]

  2. Old Chinese Hack Tool Used for New Tricks « O24 – One Step Ahead Says:

    […] most malware we see these days, ZXArps (which dates back to 2006, and was discovered by the English-speaking security community the following year) isn’t designed to perform a single task. It’s more like a Swiss Army knife, […]

  3. jelly splash hacks Says:

    jelly splash hacks…

    MW-Blog » Blog Archive » zxarps…

If you want to comment on this article please send e-mail
to authors(_at_)teamfurry.com or go to the forums.


InspectorWordpress has prevented 27 attacks.