Enough malware researchers now depend upon Fiddler that some bad guys won’t even try to infect your system if you have Fiddler installed.
This isn’t the only malware we’ve seen hiding from Fiddler—earlier attempts use tricks to see whether Fiddler is actively running and intercepting traffic and only abandon the exploit if it is.
This behavior is, of course, pretty silly. But it makes me happy anyway.
Preventing Detection of Fiddler
Malware researchers who want to help ensure Fiddler cannot be detected by bad guys should take the following steps:
- Do not put Fiddler directly on the “victim” machine.
– If you must, at least install it to a non-default path.
- Instead, run Fiddler as a proxy server external to the victim machine (either use a different physical machine or a VM).
– Tick the Tools > Fiddler Options > Connections > Allow remote computers to connect checkbox. Restart Fiddler and ensure the machine’s firewall allows inbound traffic to port 8888.
– Point the victim’s proxy settings at the remote Fiddler instance.
– Visit http://fiddlerserverIP:8888/ from the victim and install the Fiddler root certificate