Andreas Haak-Ants anti-trojan project

Anyone heard anything from Andreas or anthing about the project lately? I posted in the testcenter board, but don't seem to be able to get any response.

 

I was wondering that exact same thing !!

regards,
bill

 

Too much to do ((. I hope i will get internet access at home on 12/19/2002 - or at least electricity *fg*.

I think i will NEVER move again ... .

 

Hi Andreas,

Thanks for stopping by and telling us.
Moving is indeed an energy and time consuming bussiness.
There's nothing to gain in rushing it though.
I hope we will be seeing you more often once your access to the www has been firmly established.

Regards,

Pieter

 

now that hes here grab him grab him lol im lock him in my basement lol till ants is done lol

 

Ants is abandonned - go for a real anti-trojanz - TDS beats the sh*t out of any competitor, and that's not even the new upcoming version.

Better spend some buckz on reliable software, instead of going for all other antitrojanz.

Ants was fun as long as it lasted - way, way back, as a final but unreliable last resort for those wanting a free app. Hope that gladiotor thingie isn't going the same way: starting off nicely, ending up as crap

Hals und Beinbruch, as they say in belgium

 

No doubt...
TDS is the Cream of the Crop when it comes to AT's !

I will still try Andreas' project when it is ready !!

As for Gladiator...
I have nothing but Praise for the effort and work that Michael and his team are doing over at GAV !

cassez une jambe,
bill

 

Andreas'

Been a while since last I posted to you......you were very ill at the it the time as I re-call.........truely I hope that your health has improved.......wishing you the very best,


snowman

 

From what I understand........it will possibly be the middle or end of January before the Ant's Project starts back up. I saw a post from Andreas stating something like this. Not sure where, but that was the jest of it. He's getting situated with a new position, location, computer?, and internet connection.
bob

 

>TDS beats the sh*t out of any competitor, and that's
>not even the new upcoming version.

It depends. TDS-3 has many weaknesses. Weak database encryption so a trojan can modify his own signature records, many mutexes you can use to prevent tds from starting and so on.

TDS is quite slow - i think trojanhunter has more potential.

>Hals und Beinbruch, as they say in belgium

Ui - jemand der Deutsch spricht ;o).

 

>From what I understand........it will possibly be the middle or
>end of January before the Ant's Project starts back up. I saw a
>post from Andreas stating something like this. Not sure where,
>but that was the jest of it. He's getting situated with a new
>position, location, computer?, and internet connection.

Right. But at the moment i don't know if i can restart coding on ants in the nearer future. There are too many ideas and too less time (.

 

> There are too many ideas and too less time (
Interesting - you always seem to have plenty of time to bag TDS, yet not enough time to develop anything better than TDS. Here's a word for you Andreas ... http://dictionary.reference.com/search?q=unprofessional
But then, maybe professionalism is a concept that's hard to grasp when you're only 17 and still very unexperienced when it comes to things like business and public relations.

> TDS is quite slow - i think trojanhunter has more potential.
Trojan Hunter doesn't scan for very many trojans compared to TDS, and only has one simple detection method which from memory is easily bypassed simply by changing the size of any trojan - eg. by adding lots of nullchars on the end, as Trojan Hunter automatically (unintelligently) grabs its signatures from fixed locations in a file, ie. something like .3, .7, and .9 of the way through -- you can determine this yourself simply by using its 'Add Signature' feature, and having a look at where the bytes are taken from, so I'm not revealing anything new here. It's an extremely weak detection method and it requires 3 x 64 bytes per trojan, meaning if Trojan Hunter detected even half the trojans TDS does, its database filesize would be enormous. After adding bytes to the end of a trojan, the trojan still runs as normal, but as the filesize changes, Trojan Hunter looks in different places in the server for its signatures, which it won't find if the filesize has changed by more than say, 2%.

On the other hand, TDS scans for tens of thousands of trojans and trojan variants, and uses literally dozens of detection techniques - many of them developed here in our lab and are unique to TDS. TDS4 has been completely rewritten with all scanning routines built in assembly language, you won't find a faster trojan scanner so don't get too excited about bagging TDS for being slow. Thorough scanning can never be fast, there'll always be limitations -- the more thorough the scan, the slower the scan. It's about quality, not speed, but we've made TDS4 as fast as it possibly can be.

> Weak database encryption so a trojan can modify his own signature records
No trojans have ever done this, and it would be ridiculous if they did -- the databases are compressed also -- a trojan would need to decompress the database, decrypt the database, modify what it wanted to modify, re-encrypt, and re-compress. Why bother? You're also forgetting that _ALL_ databases can be decrypted as the decryption code is built into the scanner, so your argument is mute. It's not "weak encryption" either - it's a fairly advanced 128-bit algorithm, which is perfect for what it does. It would be pointless using an asymmetric algorithm, because the decryption code and decryption key still need to be stored in the program, so trojan authors will _always_ be able to determine which signatures are being used, and then modify their trojan accordingly. You seem to be avoiding many fundamental concepts here, and you're also forgetting that TDS stops trojans _before_ they execute, so even if such a trojan was created, TDS wouldn't allow it to run anyway.

> many mutexes you can use to prevent tds from starting and so on.
You're saying that without even testing - TDS doesn't use mutexes to test if it has already started.

For somebody who claims to have so little time, I'm constantly amazed by how much time you devote to putting us and TDS down, yet at the same time letting your own anti-trojan wither away into a state of uselessness.

This is the sort of person Andreas Haak is, folks - a teenager with nothing better to do but spread lies about a competitors product. When was the last time you heard any _reputable_ anti-trojan authors (ie. Kevin McAleavey from NSClean - a very nice fellow and also very experienced in this field) make such claims? The answer: never. Why? He has professional conduct. I only wish Andreas did also.

I'd love to stay and waste more time defending Andreas' lies, but unlike Andreas, some of us have work to do.

Regards,
Wayne

 

>Interesting - you always seem to have plenty of time to bag
>TDS, yet not enough time to develop anything better than
>TDS. Here's a word for you Andreas ...
>http://dictionary.reference.com/search?q=unprofessional

And maybe a word for you ... http://dictionary.reference.com/search?q=contemptuous

>Trojan Hunter doesn't scan for very many trojans compared
>to TDS, and only has one simple detection method which
>from memory is easily bypassed simply by changing the size
>of any trojan - eg. by adding lots of nullchars on the end, as
>Trojan Hunter automatically (unintelligently) grabs its
>signatures from fixed locations in a file, ie. something like .3,
>.7, and .9 of the way through -- you can determine this

I thinks so too. By the way. trojan hunter uses a rounded filesize value to be more tolerant.

>On the other hand, TDS scans for tens of thousands of
>trojans and trojan variants, and uses literally dozens of
>detection techniques - many of them developed here in our
>lab and are unique to TDS.

It only has about 15.000 file/memory signatures. Traces are - in my opinion - irrelevant.

>TDS4 has been completely rewritten with all scanning
>routines built in assembly language, you won't find a faster
>trojan scanner so don't get too excited about bagging TDS
>for being slow.

We spoke about TDS3 - not four.

By the way ... won't use assembler - hard to port it to other plattforms.

>Thorough scanning can never be fast, there'll always be
>limitations -- the more thorough the scan, the slower the
>scan. It's about quality, not speed, but we've made TDS4 as
>fast as it possibly can be.

It can - defnitly it can. Look at NOD32 for example - and - by the way - it has a more complex scanning routine and more signatures as tds but is several times faster.

>a trojan would need to decompress the database,

Yes - using zlib - included with TDS - where is the problem?

>decrypt the database, modify what it wanted to modify

Where is the problem?

>re-encrypt, and re-compress.

The same as above. All you need is included in TDS.

>Why bother? You're also forgetting that _ALL_ databases can
>be decrypted as the decryption code is built into the
>scanner, so your argument is mute.

But as every time you can make it hard or easy.

>It's not "weak encryption" either - it's a fairly advanced
>128-bit algorithm, which is perfect for what it does.

Doesn't know much about encryption - but it took several hours to break it. If i can do this every trojan coder can do this, too. Some parts of the database using some static xor stuff (xor $FF and xor7, xor3 and some other i think).

>You're saying that without even testing - TDS doesn't use
>mutexes to test if it has already started.

Exact. Never tested it - as i said - to less time.

>down, yet at the same time letting your own anti-trojan
>wither away into a state of uselessness.

Too less time - as i said. Most things I tried are several months old. But at the moment no time ).

 

Hi Andreas,

nice to see you fighting again. Just my thoughts after reading this postings from you and Wayne again. Just wondering that Magnus did not jump in to defend his program.

TDS-3 has (as any other av/at software) its strengh and weakness. The last thing is the reason why we (soon?) see TDS-4 coming. And also Trojan Hunter is not perfect - that's why Magnus is also working on his next version.

Is TDS-3 better than Trojan Hunter: Yes it detects more trojans and has more features but for users that are not that deep into systems and security at all they loose the advantages of TDS-3 as it is too complex and difficulat (for beginners) to understand. But overall also Trojan Hunter is not a bad program at all compared with other available anti trojan programs around: it beats IMHO Cleaner, Tauscan or Anti Trojan.

And now the patch story: There has been a lot of discussion regarding patched av/at signature databases. Technical wise this sounds "dangerous" but I do not think that any trojan user scares about TrojanHunter, TDS-3 or KAV at all. Simply because around 90% (my assumption) of all home users use either no virus/trojan protection, old outdated signature databases, NAV or other bad avs (regarding trojan detection). So why bother with the minority of users?

Yes you can patch your server to decrypt the signature base of each program but if you really want to make an undetected server you have to decrypt the signatures of nearly all av/ats just to get the "perfect" undetected server - sounds stupid or?

I personally do not see "patching" of trojan servers and decryption of av/at signatures as real "threat". Maybe I am wrong but these patched servers stay only undetected for a short time like any other new malware that needs to be added for protection.

So maybe we could continue to discuss this technical wise and discuss strategies and technics against these threats instead of blaming each others software to be crap.

wizard

 

I know very little about what is being discussed technically in this thread. What I do know is that many people were very willing to participate with the Ant's Project and it seemed to take off like a rocket right at first and then fizzled out to nothing. It's more difficult to be understanding with the delays when one reads parts of this thread (of course, I can only really speak for myself). I am not sure what to think anymore. I don't like the idea of Trojans.......that I do know. Well,,,,,,,whatever. Wish you all Well. bob

Andreas, I do feel that it would be appropriate for you to post a message at the following to let others know what is not going on at the moment:

http://testcenter.ants-online.de/index.php

 

Now I'm 100% sure you're a belgian guy.....

 

Dang I sure wish I was aqs smart at 17 years old as Andreas is.
At 17 I was only a rebel teenager. Do you people remember those years. Did you really think you could have been a
better teen?
I also tried ANTS and liked it. If it is not going anywhere so be it.
I wish it could still be developed though. Andreas? do you need help in the development of ANTS? Do you need extra programming help ?
I am sure there would be plenty of volunteers.
Did you ever wonder why Norton didn't get into the trojan market?
No dought TDS-3 is a good product and I can't wait to see the new version. TDS-4

 

No advanced trojan user is going to bother modifying trojan detection databases - why ?

Scenario 1 - the trojan is already detected by the AT in question. So to RUN in the first place, the trojan itself will require modification in order to bypass detection. If it has already been edited to miss detection, why modify the database that doesn't even detect it ?

EDITING trojans is what most advanced users do - this is FACT. They do this to bypass file scanning - hence hand crafted, strong memory detection signatures, memory objects, mutexes, which can't be modified by anything less than very competent trojan users who edit trojans.

Scenario 2 - the trojan isn't already detected by the AT. How will this trojan user know what is going to be detected on, or will they later edit the database remotely ? (unlikely)

Memory scanning is the most powerful element of TDS, and any scanner. The argument of weaknesses such as editing databases and such is pointless, and a waste of time both for us and trojan users.

 

Nize post, Gavin

 

>Scenario 1 - the trojan is already detected by the AT in question. So to RUN in the first place, the
>trojan itself will require modification in order to bypass detection. If it has already been edited to
>miss detection, why modify the database that doesn't even detect it ?

Most scanner - except from TDS (but if i remember the execution scanning doesn't work with ME/XP) - doesn't have any OnAccess scanner.

>EDITING trojans is what most advanced users do - this is FACT. They do this to bypass file
>scanning - hence hand crafted, strong memory detection signatures, memory objects, mutexes,
>which can't be modified by anything less than very competent trojan users who edit trojans.

Ok - but ...

1. Memory Detection:
I think it wouldn be a problem to use the layer model of windows nt to prevent a scanner from reading the the process memory. In most cases the scanner is running on application level. If the trojan is running as a service the application level scanner can't read the process memory of the trojan and so it can't scan its process memory. I think there are a few ways to access the memory space of services from application level (for example put the service into debug mode). But this ways are only possible due a few bugs in windows nt's rights management - and i think most of them are fixed with windows 2000 sp3. But i never tried it ).

By the way ... BioNet 3.18. Change all "BioNet" inside the server to "Bi0Net" or something else with a hex editor and TDS won't detect it. Is this your definition of a strong signature? By the way - this is a general problem of all at's that using a real scanning and not only fingerprinting. Most time a area is used as a signature that has the trojan name included. But this is a real problem - cause every one can hex edit it.

And by the way - TDS will find it then with it heuristic ;o).

2. Memory Objects:
Doesn't know what exactly you mean. If you mean classnames, window labels and so on it wouldn't be hard to change them any time the trojan is started.

3. Mutexes:
But only if the trojan has a static mutex. The name of the mutex can be easily changed using for example the windows owner name and generate a name from it.

Most detection methods only work cause trojan programmers are quite silly - thats all.

>Memory scanning is the most powerful element of TDS, and any scanner. The argument of weaknesses
>such as editing databases and such is pointless, and a waste of time both for us and trojan users.

I am not a fan of memory scanning cause the trojan have to be active in memory to detect it and it wouldn't be a problem to modify TDS in memory so it can't detect it.

 

First time I hear that TDS execution scanning doesn't work with ME/XP

Maybe some DCS-guy/girl can give the right answer on this statement?

 

I think there is a problem. But it might be false ).