Undetectable Trojans???

Printable View

May 15th, 2003, 07:07 PM
Seventh Angel

Undetectable Trojans???

Is there a such thing as an "undetectable" trojan? Or, can they all be found via regedit, netstat, win.ini, etc.?
May 15th, 2003, 07:18 PM
AciDriveHB

I've never heard of something not being able to be removed from your system without some digging. Usually you don't even need to worry about finding it yourself. If you have an Anti Virus scanning program, and is kept up-to-date, it should find anything that's out there. If you are a big Peer-to-Peer user, then you might get hit with one brand new. But the AV people have employee's working around the clock to keep ontop of anything that's new on teh market virus/trojan wise. That's why I have my system update the virus scanner every night, and then afterwards scan all my hard drives. Because incase one gets by, then you are usually ok if you do a scan and pick it up. The AV should be able to remove it, or at least tell you what it is so you can go online and search for a removal tool.
May 15th, 2003, 07:41 PM
instronics

Hmmm, removing is one thing, but detection is another thing. It also really depends on which trojan and which OS. There is a trojan for unix/linux which is very hard to detect. As far as i'm aware, theres only one tool to find that specific trojan. Its a very rare trojan, actually its a lot more than a simple trojan. It does not sit and listen on a port like other trojans, it does not show up on any process listing, it only shows up with its antidode. This trojan is called KIS (kernel intrusion system) made by 0ptyx. Its by far the most advanced trojan tool i have ever seen. It acutally sits inside the kernel itself. Even IDS cannot pick up the setup of this trojan. On the other hand, normal users have nothing to fear, since the trojan KIS is used very rarely and its target is mainly very high security boxes. I have never heard of this trojan infecting a home user, or even a small private company.

For the normal common trojans on windows systems, there are some excellent tools to remove them. I always recomend a look at www.moosoft.com aswell as getting adaware. Netstat is also helpful, since it shows which ports are in state Listen. On the other hand, on windows it normally takes user error to get infected by a trojan, as in lack of antivirus, lack of knowledge, by just clickin on files where you have no idea what they are etc.....

Cheers.
May 15th, 2003, 09:05 PM
[WebCarnage]

I've got a few ideas for an (almost) undetectable trojan/backdoor.

Simply setup a website on some free server somewhere holding your backdoor's plugins.

Compile a program that you'll shoot off to the victim to open. Time passes, he opens the file, making an open connection to his computer, you connect to his computer with your backdoor client.

But here's the thing. When you want to do something real lame (ex. eject /dev/cdrom), you give the command to his pc to download a plugin from the website (on the same port - so the server will have to be quite lenient...), you play around, he gets annoyed, you disconnect, and the plugins are deleted from his computer. So tomorrow, when he scans, he'll find nothing "malacious," ... a specific port, however, will remain open on his computer - for you to connect to his PC.

Blah... i'm just rambling now, though. It was just an idea anyways... *grin*
May 15th, 2003, 10:03 PM
jaxxofdeath

there are some wintrojans that few antiviruses detect and not just older ones but ones like netbus or back orifice every updatable antivirus i know of can detect them
May 15th, 2003, 10:37 PM
Seventh Angel

Trojan Guarder 3.87 found Blazer 5?

Ok...here's the deal. I just downloaded and installed Trojan Guarder 3.87 and when I launched it, it found two files right off and identified them as trojans - igfxtray.exe , hkcmd.exe . In addition, when I clicked the "Network" button on the main window, I notice there's an entry under "Local Port" that reads 5000:Blazer 5 . Is this a trojan? If so, how do I get rid of it?

P.S. - Is there a way to determine where a trojan came from?
May 16th, 2003, 02:56 AM
|The|Specialist

Quote:

Originally posted here by jaxxofdeath
there are some wintrojans that few antiviruses detect and not just older ones but ones like netbus or back orifice every updatable antivirus i know of can detect them

What the heck are you talking about? I would consider back oriface and netbus to not only be one of these 'older ones'... infact they both are (exstreamly) old, indeed. And besides that you act almost surprised that they are very detectable. I'd highly feel sorry for any AV that couldn't detect those... any AV that doesn't catch on to that would be beyond lame.

http://www.pestpatrol.com/PestInfo/db/b/blazer_5.asp
In this URL I didn't see info on the regkey and futher info on it but im sure you can find/destroy it if its even really in your box.
May 16th, 2003, 03:02 AM
TwistedSnyper

I don't believe any trojan is "undetectable" there is always some way to detect it. Its like sayin that something is impossible or something. Most anti virus's detect trojans now adays, but maybe there is a new trojan that no anti virus can detect yet. Well keep lookin man maybe ull find what you need. Great question by the way.
May 16th, 2003, 03:03 AM
avdven

Seventh Angel: Here's some info about the "trojans" that were found:

Quote:

Intel Graphics Tray. System Tray icon which gets installed with the drivers for onboard VGA cards based on the Intel 81x graphics chipset. Double-clicking on it enables you to quickly change the display resolution, save your current Display Scheme, or configure your onboard graphics card. You can also configure keyboard hotkeys (shortcuts – this is handled by another background task called HKCMD). You can access the same features through the "Intel Graphics Technology" icon in the Control Panel.

Recommendation :
Although great in theory, on some PCs we have found that whenever IGFXTRAY and HKCMD are running, Windows Explorer is prone to hanging and showing as "not responding" in the Task List. Our recommendation, therefore, is that you should not have this tray icon running, and that you should also not use the hotkey facility that comes with it. Disable both IGFXTRAY and HKCMD with Startup Manager.

The info came from http://www.answersthatwork.com/Taskl...tasklist_i.htm

AJ
May 16th, 2003, 03:12 AM
Seventh Angel

Thanx a bunch for all the great responses. Still waiting for someone to give "the new guy" some insight on what to do about this "Port 5000/Blazer5" issue :rolleyes: ...lol. Maybe I should do a system restore...which I HATE, by the way...lol.
May 16th, 2003, 10:41 AM
Und3ertak3r

Oh come on guy's Port 5000 on a Win system!!!

UNIVERSAL PLUG AND PLAY..

Check if that is enabled.. if the OS is WIN-XP the you have two services to disable..

UPNP is one SSDP Discovery is the other.. disable these and port 5000 shud be closed..

Cheers
May 16th, 2003, 11:36 AM
catch

I know of no... um COTS(? heh) trojans that are undetectable.
This is by the definition of a trojan being something that looks good to the client so they invite it in.
It is however possible to backdoor a system in a manner that would be undetectable by all current detection methods so long as the system is running any services.
I have seen this done to a linux system.

steps.
1. The box was rooted.
2. trojan the kernel
3. trojan the compilers so that all future kenels are also trojaned
4. trojan tripwire
5. trojan whatever service (ideally ssh/https) you want to piggy back
6. you can even include a very minor trojan on the nic cache, but this is likely overkill

This is one of the serious drawbacks of open source everything. Not looking to start a flame war, I know open source has many fine qualities as well, this just happens to be a downside.

catch
May 16th, 2003, 03:02 PM
slarty

It is quite possible that a trojan could make itself extremely difficult to detect.

It would modify either the C library or the kernel such that the view of the filesystem was modified in the following respects:

- Any inspection of the modified files showed them not having been modified (despite the fact that they are)
- Any files belonging to the trojan itself would be invisible
- Any directories it had created would be invisible
- Any boot scripts needed to start it up (or registry on windows) would appear unmodified.

Essentially, once installed, it alters the system to make it look like it isn't. This is technically feasible (if not terribly easy), and some Linux kernel rootkits do do this. Also there was a Windows trojan reported which also used such techniques (although not very successfully - as it bluescreened boxes)

Additionally, given administrator/root privileges, it could identify any known virus checkers running and prevent them from working although this would be unnecessary if the above steps were entirely effective.
May 16th, 2003, 05:55 PM
Maestr0

There are trojans which can be EXTREMELY difficult to find, some of these are LKM's(loadable kernel modules) on linux or the newly emmerging thing on Win32 machines is kernel hacking or rootkits. See http://www.rootkit.com/ for more.

-Maestr0
May 16th, 2003, 05:57 PM
GandalfTheGray

Sample of Google results

Blazer5
http://www.megasecurity.org/trojans/...5/Blazer5.html
http://www.glocksoft.com/trojan_list/Blazer5.htm

or not

http://www.sans.org/rr/homeoffice/investigation.php
May 16th, 2003, 06:21 PM
Noia

Hmmm...a custom designed Trojan would be undetectable....coz it would be the first and only of it's kind...although it's behaviour might ring some bells.....but generaly, I don't think a generic of-the-net Trojan is undetectable...it might be hidden, but AV's and Hunter-seeker programs find em pretty quick..

- Noia
May 16th, 2003, 11:32 PM
KissCool

I know about some proof-of-concept trojans (not very functionals but proving that the idea can be done) on various systems (I heard about Linux and Windows) using the 2nd OSI layer instead of higher layers in order to bypass firewalls, netstats and such detections technics.
Real trojans communicating through this way would be currently undetectable if they wouldn't be known by AV softwares. Which is often the case with recent trojans.

KC
May 17th, 2003, 12:12 AM
Und3ertak3r

Well What was his problem then guys?

is it an undetectable trojan or is it normal M$ security holes?

because that is his question..

PSE not I am not attacking the comments in this thread, this information is gud and handy.. just trying to keep the thread on topic to help ..

cheers
May 17th, 2003, 01:08 AM
[WebCarnage]

Ah... an undectable trojan would be one that comes along with a virus to totally fsck up a large list of AVKits.

You can make it so the AVKit becomes simply useless, or have it so that it will simply skip the folder that you install this trojan/backdoor on. Or make it, so even if its manually forced to scan that folder, it won't pick it up (only the particular backdoor/trojan your using).

That would be quite bitchin', and be hell to fix up.
May 17th, 2003, 06:03 PM
dcongram

There are Key Loggers that are NOT detected by AntiVirus.

Do they count as a 'Trojans' ?
May 17th, 2003, 11:46 PM
Noia

Nope...