Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Anti-trojan app.s?

  1. #1
    Junior Member
    Join Date
    Jan 2002
    Posts
    19

    Anti-trojan app.s?

    I did a forum search for "anti-trojan", but did not find a thread on this subject, so here goes:

    I use Trojan Hunter as an AT, after being badly let down by The Cleaner. Recently, a test at PCFlank panned Trojan Hunter. The writer of Trojan Hunter responded in his own forum with this:

    Client: Remote access trojans require that the attacker have some way to take control of a compromised computer. In almost all cases, this is done with the use of a trojan client. The client is simply an ordinary program that the attacker uses to connect to the server and do such things as download files, take screenshots etc. Trojan clients, unlike trojan servers, are harmless. Unless you are an evildoer who goes about compromising peoples' computer systems or are a trojan researcher, you won't have a trojan client on your computer.

    EditServer: Most of the newer trojans come with an EditServer. This is a program that can be used to configure the trojan server. For example, the server could be configured to send information to an attacker whenever the server starts on a computer. Some trojans only come with the EditServer, and the EditServer is then used to create the actual trojan server from scratch. EditServers are also harmless and you won't have them on your computer unless you are a hacker or trojan researcher.

    Now to the question: Should TrojanHunter detect these harmless files? TrojanHunter currently only detects actual threats such as trojan servers. Most other trojan scanners also detect clients and editservers. One reason why this question seems important is the following: If someone decides to evaluate trojan scanners by downloading zip files with trojans in them he will in most cases find the following in a typical zip file: A trojan client, an EditServer and a trojan server. Only the trojan server is an actual threat here, and in some cases it won't even be in the zip file as the creator expects the hacker to create it using the EditServer. The problem, then, is this: If the "trojan files" are scanned, then TrojanHunter will detect only the actual threat - the trojan server. It will not detect the client or EditServer. The result could be interpreted in such a way that TrojanHunter only detects 33% of all trojan files. Of course, anyone who has some more detailed knowledge about trojans and how they work will know that this conclusion is grossly inaccurate.


    I would be interested to know what those in the know think of the above. How much of it is valid, and how much marketing speak? I am learning that a false sense of security is worse than none at all, so I would be grateful for opinions on the merits of Trojan Hunter, and indeed of anti-trojan app.s in general. Thanks

  2. #2
    Im not quite sure what you are asking but where could I download this TrojanHunter program? TO the valid question, I think it is all valid. Still, Im not quite sure what you are asking.

  3. #3
    Junior Member
    Join Date
    Jan 2002
    Posts
    19
    Bumped up because I would love to hear any opinions on this subject

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    here`s the link i didnt really know what you were getting at but im gonna give this "trojan hunter" a try www.mischel.dhs.org/trojanhunter.jsp
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  5. #5
    Junior Member
    Join Date
    Jan 2002
    Posts
    19
    Originally posted here by JCHostingAdmin
    Im not quite sure what you are asking but where could I download this TrojanHunter program? TO the valid question, I think it is all valid. Still, Im not quite sure what you are asking.
    Sorry. Here's the URL for Trojan Hunter: http://www.misec.net/trojanhunter.jsp

    My question was, is the stuff in blue a valid argument, or is it marketing hype, aimed at explaining away a poor test result?

  6. #6
    Darn, I need a free one for now. Any free one's (not just demo's) out there that work good?

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Posts
    317
    I am of the opinion that all files should be detected and removed unless I specify otherwise. does the software not even notify if the Client and EditServer exist?
    I don't think this is a good thing. If the client and the editserver are on the machine, what is to prevent you from shooting yourself in the foot and creating a server? It seems to me that this would be primarily marketing speak, but that is just my opinion. From my point of view and the stance I take on security, this type of app should be reporting all, not promoting a false sense of security in leading to believe you are being cleanse of trojans. Just my opinion though.

    Regards.

    [edit]
    in my opinion, if they haven't found all the trojan related files, then the tool failed. They are covering with hype and babble.
    [/edit]
    \"I believe that you can reach the point where there is no longer any difference between developing the habit of pretending to believe and developing the habit of believing.\"


  8. #8
    Junior Member
    Join Date
    Jan 2002
    Posts
    19
    Thanks for taknig the time to share your opinion, chefer. Your reply raises another question for me. You talik about "hooting yourself in the foot and creating a server?" How easy would it be to unitentionally create a server, thus putting oneself at risk? This might be an important factor for consideration, since the program's author is soliciting opinions and advice on whether or not to broaden the scope of his app.

    Oh, and just in case anybody was wondering, I have no connexion with the product other than as a a satisfied customer, curious to learn more about this subject.

  9. #9
    I think he ment because when you download sub7, generally the edit server or client has the actual server in it, thus screwing yourself. Just my two cents.

  10. #10
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    well JC, I've never tried this one.. but it's free..

    Swat It http://www.lockdowncorp.com/bots/downloadswatit.html

    Right now, I'm using both tauscan and trojanhunter.. with the hunter remaining in active mode
    I kinda prefer trojanhunter as it finds/tells you things tauscan doesn't..

    But really, the one that looks absolutely the best is TDS-3.. although they've gotten some bum rap for spamming.. which had proven to be false (look thru the newsgroups)

    TDS-3 http://tds.diamondcs.com.au/html/technical.htm

    also found at the above site is this nice little write up on the main trojan threats.. http://tds.diamondcs.com.au/html/threats.htm
    Current Main Threats - GLOBAL

    OPTIX LITE

    Optix Lite is an exceedingly dangerous trojan in heavy use at this time. Optix Lite is an uploader, or mini trojan with the capability to terminate known security software. It will shut down all well known security programs by scanning for the name of the running programs. It will also continually scan for the presence of these programs and terminate them if they have been restarted. Once the hacker has access with Optix Lite, they will upload and install a larger trojan such as those described in this section, giving complete and unblockable access to the machine. More often that not, users are unaware their security software is no longer running. Optix Lite is the single most dangerous trojan threat at the current time, it is already stable and reliable, and hard to detect with file scanners as it is released unpacked ready for modifications. We have released an advisory here with more details on the latest Optix Lite release, at the time of writing.

    Optix Lite is being used by a huge number of hackers. Use should remain steady and grow even further with more releases, expect Optix Lite to remain popular for at least the next three to five years.

    All versions of Optix Lite are detected by TDS.
    0.1, 0.2, 0.2 GW, 0.3, 0.3b, 0.3c, 0.4, 0.4a, 0.4b, 0.4c, 0.4N

    OPTIX PRO

    Optix Pro is very popular as the full featured trojan counterpart to Optix Lite. This trojan is very dangerous, and has meant a lot of research here at the DiamondCS Lab. Optix Pro has a full feature set, including what users are saying is the best screen and webcam capture of any trojan to date, along with rock solid stability.

    TDS-3 has the ability to detect this trojan in file scans even if manually modified. The trojan should still be flagged with a positive identification due to advanced detection techniques employed. Executable compression does not stop TDS from detecting new variants, and version 1.1 did not even need analysis to be detected. We have further strengthened this detection since the release of version 1.1 to be sure of good detection rates. In memory, TDS should find all possible variants of Optix Pro unless it was rebuilt from scratch. We have released an advisory here with more details on Optix Pro.

    Optix Pro is being used by a lot of trojan users in the wild, and heavy use should continue for at least the next three years or more.

    All current versions of Optix Pro are detected by TDS.
    1.0, 1.1

    SUBSEVEN

    SubSeven is the most globally-widespread trojan and has overtaken all others to be widely recognised as the most popular Remote Access Trojan for the year 2001. SubSeven is currently at version 2.2, and while very buggy it is still heavily in use. SubSeven 2.2 brought new methods of autostarting and infects the system in many ways to keep itself installed. Development on SubSeven continues.

    SubSeven is in heavy use throughout the world and will most likely remain so for at least the next three years. The newest version 2.2 shaped as a serious threat and new features were to make using multiple victims in a DDoS attack easy to coordinate. Most users are using 2.1.4 DEFCON and modified variants, for its stability. TDS easily detects SubSeven variants in memory.

    All variants of SubSeven are detected by TDS.
    1.0, 1.1, 1.3, 1.4, 1.5, 1.6, 1.7, 1.8, 1.9, 2.0, 2.0 Unpacked, Apocalypse, Apocalypse.b, "Undetectable", 2.1, 2.1.b, 2.1.c, 2.1.d, 2.1 Mod, 2.1 Patched, 2.1 Stealth, 2.1 GOLD, 2.1 GOLD.a, 2.1 GOLD.b, 2.1 MUIE, 2.1 MUIE Unpacked, 2.1 MUIE.a, 2.1 MUIE.b, 2.1 MUIE.c, 2.1 MUIE.d, 2.1 MUIE.e, 2.1 BONUS, 2.1 BONUS Unpacked, 2.1 BONUS (Mod a,b,c), 2.1 BONUS.a, 2.1 BONUS.b, 2.1 BONUS.c, 2.1 BONUS.d, 2.1 DEFCON, 2.1 DEFCON.a, 2.1 DEFCON.b, 2.1 DEFCON.c, 2.1 DEFCON (MRX Mod), 2.2beta, 2.2beta NT, 2.2, 2.2a, 2.2b, 2.2c, 2.2d

    BIONET

    BioNet is a trojan rising quickly in popularity and is a very serious threat. New features in versions 3.x mean this trojan is capable of shutting down many defence programs these being popular trojan scanners, antivirus scanners and firewall software. The trojan is also capable of corrupting some of these programs installations in such a way that they cannot be reinstalled.

    BioNet is already widespread and should climb to very heavy use within the next six to twelve months, and remain so for at least the next three to five years.

    All available and old versions of BioNet are detected by TDS.
    0.84, 0.871, 0.92, 0.92 NT, 2.10x, 2.21, 2.21 NT, 2.61, 2.81a, 2.9x, 3.0, 3.02, 3.04, 3.05, 3.06, 3.07, 3.08, 3.09, 3.10, 3.11, 3.12, 3.13, 3.14 Beta, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19 Beta, 4.0.1, 4.00.02, 4.00.03

    BioNet Lite is also detected
    1.0 (Beta)

    MOSUCKER

    MoSucker is now a very popular trojan. This trojan has become very dangerous, and has prompted extra research here at the DiamondCS Lab. MoSucker is becoming a very serious threat, as new features in version 2.2 mean this trojan is capable of shutting down many defence programs and this is even configurable for the trojan user. Popular trojan scanners, antivirus scanners, firewall software and more can be targeted at will, and prevented from starting. To worsen the danger, there are anti removal features which make manual removing difficult for the novice, and the unique server creator will generate different servers, and can be very difficult to detect from file scanning. TDS-3 has been given the ability to detect this trojan in file scans every time, and even if further polymorph technology was built into the server creator TDS-3 has the ability to rise to the task. Even manually modifying the trojan would still mean a positive identification.

    MoSucker is already being used significantly, and should climb to very heavy use within the next six to twelve months, and remain so for at least the next three years or more. MoSucker is no longer in development.

    All known versions of MoSucker are detected by TDS.
    1.0, 1.0a, 1.1, 1.1a, 1.12, 2.0, 2.1 Beta, 2.1, 2.11 Beta, 2.2

    INFECTOR

    Infector is a popular trojan that is being used more and more recently. The Infector trojan is a very serious threat, it has close to all the features of SubSeven, including port redirection features. We have released an advisory here with more details on the latest Infector release, 2.0 Bonus.

    Infector is widespread and should stay in heavy use for at least the next two to four years.

    TDS will detect all known Infector variants.
    1.0, 1.3, 1.4, 1.4.2, 1.6, 1.6a, 1.6b, 1.7, 1.7 Bonus, 1.7b, 1.7c, 1.8 Beta, 1.8, 1.9 Alpha, 1.9 Alpha Unpacked, 2.0 Alpha, 2.0 Alpha Unpacked, 2.0, 2.0 Unpacked, 2.0 Bonus, 2.0 Bonus Unpacked

    UNDETECTED

    Undetected is also becoming very popular, and is one trojan with very powerful features. In the latest version Undetected is very dangerous, under Win9x or ME the server is completely invisible, hiding itself in another running process. Detection that the trojan is resident by normal methods is extremely difficult and even with the power of TDS detection is not easy, but even Undetected 3.3 cannot hide from TDS.
    Undetected is also already becoming widespread and should be highly used for at least the next few years, possibly a long time. With its technical specifications Undetected could become an extreme threat.

    TDS will detect all known released versions of Undetected.
    Muerte 1.1, 4fk 2.2, SE 2.3, SE 2.3a, SE 2.3b, 3.0, SE 3.0, SE 3.0a, 3.1, 3.1a, SE 3.2, 3.3, 3.31, 3.32

    Y3K RAT

    Y3K Rat is a definite threat to home PC users. This trojan has reached version 1.6. It is now popular, the newest version made headlines on many security related news websites. Y3K Rat is another Remote Access Trojan with powerful features. It has the ability to terminate known running processes such as firewalls and virus scanners, a popular feature of the newest Remote Access Trojans. Detection that the trojan is resident is not a problem for TDS-3, with multiple scans having the ability to reveal an infection.

    Y3K Rat is another widespread trojan and should be used for at least the next few years, possibly longer. With its recent versions it has proven itself a serious threat.

    TDS will detect all known released versions of Y3K Rat.
    1.0, 1.1, 1.2, 1.3, 1.4, 1.4b, 1.4c, 1.5, 1.6, 1.6 Unpacked, 1.6a, 1.6a Unpacked, 1.6 MS, 1.6 MS Unpacked

    NETBUS 1.x

    Infection is still hugely widespread, and ongoing. NetBus 1 is still a trojan of choice for many hackers. Listening on TCP 12345 will snare most connection attempts. The majority of these connection requests on TCP 12345 will be from probes - programs or possibly worms scanning for open servers. Due to the openness of the NetBus 1.x protocol, a lot of programmers have developed utilities, programs, worms, and all sorts of things that are based around the Netbus server.

    This is a medium-term problem. NetBus 1.x should still be in use for a few more years.

    NETBUS 2.x is not so much a problem, due to encrypted communications, and also the fact that NetBus 2 has gone shareware.

    All variants of NetBus are detected by TDS.
    1.20, 1.53, 1.60, 1.70, 1.70 (Mod), 1.70 (Spanish), 2.0 (Mod), 2.0 Pro (Beta), 2.0 Pro, 2.01, 2.10, 2.x (Cryo Mod)
    NetBus droppers: BOWhack, Pie Bill Gates, Whack-A-Mole 1.1, Whack-A-Mole 1.7, Movie trojan, Picture trojan

    IRC THREATS
    IRC is a primary worm breeding ground. Open, text-based protocols such as IRC, Email (SMTP), etc are the most common protocols that worm programmers use to write propagation routines into their worm.
    Upon joining an IRC channel, one of the following may occasionally automatically happen to you:
    - receive a connection request on TCP 12345, testing the existance of NetBus.
    - receive a connection request on TCP 1243, testing the existance of SubSeven.
    - receive a connection request on TCP 27374, testing the existance of SubSeven 2.x.
    - receive an encrypted packet on UDP 31337, testing the existance of Back Orifice.
    - receive a DCC SEND notice on IRC, with either a .exe, .com, .ini, .bat, .pif, .vbs, .shs .hta or .htm file.
    - receive a private message telling you to perform a command beginning with //$decode
    It will be a script doing all the work here, not a human. The human attacker will be sitting by, waiting for his script to show some results.

    DiamondCS have released a small freeware program to detect most IRC worms, see the IRClean page here
    I didn't bother putting in the embeded links.. you folks can go there if you wish..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •