DrSeltsam
April 16th, 2002, 07:03 PM
(private = comercial version)
Ok ... - lets start :o).
First of all ANTS isn't a normal scanner. It uses a powerful driver and hook system to monitor and observe all files in REALTIME.
Its compareable to a firewall. You can define special system areas of your process, network, file or registry system and you define a special action what should happen if a process wants to access (read, write, create, delete ...) this area (ask, block, log and so on).
I tried a very small configuration. The ANTS "system firewalls" warn if a process wants to access the windows or system directory, the windows startfiles or the registry start keys. The "rule editor" looks something like this:
http://www.ants-online.de/ants3/syswall1.jpg
(registry)
http://www.ants-online.de/ants3/syswall2.jpg
(filesystem)
http://www.ants-online.de/ants3/syswall3.jpg
(internet blocking - yes, ants 3.0 can act as a "normal" application based firewall, too ;o) )
http://www.ants-online.de/ants3/syswall4.jpg
(secured processes)
The last point called "Geschützte Prozesse" (secured processes) is quite interesting for users of a third party security application and for applications which have access to the internet.
All processes listed in "Geschützte Prozesse" can't be killed or modified. You can't inject a dll or something like this. So most of firewall tunneling trojans can't get active if your internet applications are secured in such a way.
Its also quite interesting for anti-virus software that is often killed by several malware, cause secured processes can't be killed via TerminateProcess.
Ok,
what happened if a trojan runs on such a secured environment. Here a test with NetBus 1.7:
Firstly all files will be scanned BEFORE they run. So NetBus will be found:
http://www.ants-online.de/ants3/netb1.jpg
We let start him. Now NetBus tries to infect your system:
http://www.ants-online.de/ants3/netb2.jpg
(copy to windows folder)
http://www.ants-online.de/ants3/netb3.jpg
(add a autorun key)
http://www.ants-online.de/ants3/netb4.jpg
(create the keyhooker)
http://www.ants-online.de/ants3/netb5.jpg
(finally it tries to act as a server)
As you see all actions the trojans performed are listed and you can terminate the infection at any time :o).
I did a few tests with some other trojans. Here for example the infection themes of BioNet 4.0:
http://www.ants-online.de/ants3/bio1.jpg
(copy to system directory)
http://www.ants-online.de/ants3/bio2.jpg
http://www.ants-online.de/ants3/bio3.jpg
(add to run keys in registry)
http://www.ants-online.de/ants3/bio4.jpg
(offline keylogging file is created)
http://www.ants-online.de/ants3/bio5.jpg
(act as a internet server)
ANTS 3.0 uses an IDS which search for this infection schemes and recognizes unknown trojans using a neural network :o).
All this checking is done in REALTIME. So if you get a warning, the action ISN'T performed already. You can still block or permit it or kill the host process.
Thats the power of only ONE feature of ANTS 3.0 :o). If you are interested i will post a few more screenshoots and facts about ANTS 3.0 - especially the lite version :o).
Adieu, Andreas
Ok ... - lets start :o).
First of all ANTS isn't a normal scanner. It uses a powerful driver and hook system to monitor and observe all files in REALTIME.
Its compareable to a firewall. You can define special system areas of your process, network, file or registry system and you define a special action what should happen if a process wants to access (read, write, create, delete ...) this area (ask, block, log and so on).
I tried a very small configuration. The ANTS "system firewalls" warn if a process wants to access the windows or system directory, the windows startfiles or the registry start keys. The "rule editor" looks something like this:
http://www.ants-online.de/ants3/syswall1.jpg
(registry)
http://www.ants-online.de/ants3/syswall2.jpg
(filesystem)
http://www.ants-online.de/ants3/syswall3.jpg
(internet blocking - yes, ants 3.0 can act as a "normal" application based firewall, too ;o) )
http://www.ants-online.de/ants3/syswall4.jpg
(secured processes)
The last point called "Geschützte Prozesse" (secured processes) is quite interesting for users of a third party security application and for applications which have access to the internet.
All processes listed in "Geschützte Prozesse" can't be killed or modified. You can't inject a dll or something like this. So most of firewall tunneling trojans can't get active if your internet applications are secured in such a way.
Its also quite interesting for anti-virus software that is often killed by several malware, cause secured processes can't be killed via TerminateProcess.
Ok,
what happened if a trojan runs on such a secured environment. Here a test with NetBus 1.7:
Firstly all files will be scanned BEFORE they run. So NetBus will be found:
http://www.ants-online.de/ants3/netb1.jpg
We let start him. Now NetBus tries to infect your system:
http://www.ants-online.de/ants3/netb2.jpg
(copy to windows folder)
http://www.ants-online.de/ants3/netb3.jpg
(add a autorun key)
http://www.ants-online.de/ants3/netb4.jpg
(create the keyhooker)
http://www.ants-online.de/ants3/netb5.jpg
(finally it tries to act as a server)
As you see all actions the trojans performed are listed and you can terminate the infection at any time :o).
I did a few tests with some other trojans. Here for example the infection themes of BioNet 4.0:
http://www.ants-online.de/ants3/bio1.jpg
(copy to system directory)
http://www.ants-online.de/ants3/bio2.jpg
http://www.ants-online.de/ants3/bio3.jpg
(add to run keys in registry)
http://www.ants-online.de/ants3/bio4.jpg
(offline keylogging file is created)
http://www.ants-online.de/ants3/bio5.jpg
(act as a internet server)
ANTS 3.0 uses an IDS which search for this infection schemes and recognizes unknown trojans using a neural network :o).
All this checking is done in REALTIME. So if you get a warning, the action ISN'T performed already. You can still block or permit it or kill the host process.
Thats the power of only ONE feature of ANTS 3.0 :o). If you are interested i will post a few more screenshoots and facts about ANTS 3.0 - especially the lite version :o).
Adieu, Andreas