Donald Dick is a Russian-made remote access trojan, but it's perhaps the world's most polymorphic trojan at present. TDS-3 is the only anti-trojan scanner capable of detecting this trojan, and this is explained (with disassembly and other screenshots) at http://tds.diamondcs.com.au/index.php?page=polymorphictrojans
Best enjoyed with a coffee. :)

No Russian vodka?


Thanks Wayne, quite impressive and amazing: further your screenshots are very instructive, no need to wait shivering if we ever receive that one somehow to see it's actions on our systems!
Thanks for creating the instructive page for us, it serves curiosity too!

Must be early morning in Perth now, sleep well!

hey that is kinda cool so that what it look like

ll lmao you know what be cool if TDS 4 when it finds a nasty a pic would also show up with the nasty's profile lol

for example lol tds detects donald duck a pic of donald duck apears with the trojans bio and info lol

mug shot wanted lol lol lol

cage or put in to fireing range option lol

Donald Dick isn't even Polymorph.
It's the loader thats all.
Read the first 4096 bytes of this file, jump to the end and make a search for

B8 | 00 | 00 | 00 | 80 | 0F | BF | EA

backwards and combine this with a positive pattern (AND Pattern) of some bytes before ( C1 and 08 for instance )

;D

-{ Quote: " quoting: Wayne - DiamondCS link=board=5;threadid=8499;start=0#55049 date=1050514615]
Donald Dick is a Russian-made remote access trojan, but it's perhaps the world's most polymorphic trojan at present. TDS-3 is the only anti-trojan scanner capable of detecting this trojan,
" }-

I'm confused. Trojan Hunter lists Donald Dick 150, 153, 154, and 155 in its trojan definitions. Are these different from what you're talking about?

Douglas

lol are you sure lol quake quake

Ah yes and dont forget to add FF | FF | ?? | ?? | ?? | 0F as the last postive signature to avoid false posives :D

Zor Douglas, What I think Wayne was saying is that using set "definaitions" for polymorphics is not the way because they always change ::)

Edit: Sorry Zor I refered to you & not douglas in this reply - Now corrected

THAT ALSO TRUE CAUSE YOU CAN MODIFIE THEM WITH HEX EDITOR OR SOMETHING RIGHT?

-{ Quote: " quoting: Wayne - DiamondCS link=board=5;threadid=8499;start=0#55049 date=1050514615]
Donald Dick is a Russian-made remote access trojan, but it's perhaps the world's most polymorphic trojan at present. TDS-3 is the only anti-trojan scanner capable of detecting this trojan, and this is explained (with disassembly and other screenshots) at http://tds.diamondcs.com.au/index.php?page=polymorphictrojans
Best enjoyed with a coffee. :)


" }-

Very nicely done, a very good presentation, I am still holding out for TDS-4. ;) ;)

Best Regards
Vampirefo

Douglas, sorry but I'm not sure why Trojan Hunter would say it can detect these trojans because I can tell you now it can't. The servers change with every generation, and the techniques that TH uses cannot be used to detect this trojan so I'm assuming that one server was generated but not analysed to see that it's not static, and it was added using the same automated process as all other TH signatures, but Donald Dick _cannot_ be detected using standard methods like that so if that's the case it would be a useless signature that does nothing more than fool users into thinking they're protected (which is probably worse than no detection at all).

I'd encourage you to test for yourself - do a Google search to find the Donald Dick trojan, and then just run the 'ddsetup.exe' file that comes with it (as seen in the screenshot on our polymorphic page). Everytime you run this file, it creates a new, unique ddick.exe file. We've tested with all common anti-trojan scanners (using latest databases) and we'd encourage you to do the same, but TDS was the only one detecting any of the servers, all other anti-trojan scanners missed 100% of the servers.

But don't just take my word for it - test for yourself. :)

---

Zor, you're actually technically spot on - the word polymorphic is heavily abused these days, and although it often applies well to viruses, it really shouldn't apply to trojans as it's their server generator that is the base for the pseudo-random generation - not the actual trojan server itself, but today the term 'polymorphic trojan' is just generally and loosely used by many to define trojans that are different from one generation to the next. We'll add some extra text to the page to explain this more clearly. :)

BTW I think you meant C1 and 80 Xor ;)

-{ Quote: " quoting: Gavin / DiamondCS link=board=5;threadid=8499;start=0#55140 date=1050547261]
BTW I think you meant C1 and 80 Xor ;)
" }-

yes it was a typo - to many fingers on keyboard error, you know ? ;D

"to many fingers on keyboard error, you know"
Translation for non-programmers ... "too much coffee, you know" :D

-{ Quote: " quoting: Wayne - DiamondCS link=board=5;threadid=8499;start=0#55145 date=1050549001]
Translation for non-programmers ... "too much coffee, you know" :D
" }-

You miss the beer the DAMN BEER ;D ;D ;D
But i am using the 4th coffecup in this night ::)

No that's the desk of a real programmer!!! http://www.wilderssecurity.com/images/icons/icon14.gif

Maybe mine isn't quite a messy as I thought!! I'll show that to my wife to fend off her duster ;D

Wondered if others are referring to other versions of donald dick trojans, as there are several, think i saw an older report of 1999 but i don't recall the version number there. Could this explain the different views on detection and disarming?

There are several versions, but only 1.53.b and onwards use the SmartMorph polymorphic loader. The only versions other anti-trojan scanners can accurately detect are v1.52, the first variant of 1.53, and earlier. 1.53.b, 1.54, 1.55 etc can not be and are not detected by other anti-trojan scanners, so if you see them in their "detected trojans" list, they're just giving you a false sense of security - they cannot detect such trojans.

:DWasnt TDS the one that detected my Zmist favriote nast in the world that kick but i love that awsome nasty

i wish i had money and found the real maker of it not the guy at nav that wrote about it but the actual guy

if i did the Mr.Blaze6666 would become a reality he he he
cleaning up the internet and makeing you all spell as bad as me with lol at every other word lol

Yeah, the older lists like on mcafee i don't recall to have seen any version number at all, only the message there are several versions and names.



Hey Blazey! Your sig is in the wrong forum: it's TDS here!
Have you seen the DCS shoppe? Go and get there, be the first hurryyyyyyyyyyyy!
http://www.cafeshops.com/diamondcs/
Get your TDS and DCS collectibles NOW!

ZMist is a virus family, using the "Mistfall" engine by Z0mbie.. not applicable for detection by any of our products.

I think I commented somewhere on the forum about this before. Very powerful virus engine.. but one striking weakness - pack any EXE and it is immunised against this virus :D The virus disassembles an EXE file, and inserts itself into the executable. The virus code actually becomes part of the file when reassembled.. a real headache for AV guys :)

-{ Quote: " quoting: Jooske link=board=5;threadid=8499;start=15#55180 date=1050565666]
Yeah, the older lists like on mcafee i don't recall to have seen any version number at all, only the message there are several versions and names.



Hey Blazey! Your sig is in the wrong forum: it's TDS here!
Have you seen the DCS shoppe? Go and get there, be the first hurryyyyyyyyyyyy!
http://www.cafeshops.com/diamondcs/
Get your TDS and DCS collectibles NOW!
" }-

McAfee can detect them, I made 32 servers McAfee had no problem detecting them, I used versions, 1.52, 1.53,1.54, 1.55, McAfee detects them all regardless of version.

Wondering if Wayne means something else we miss here?

-{ Quote: " quoting: Douglas link=board=5;threadid=8499;start=0#55082 date=1050526831]
-{ Quote: " quoting: Wayne - DiamondCS link=board=5;threadid=8499;start=0#55049 date=1050514615]
Donald Dick is a Russian-made remote access trojan, but it's perhaps the world's most polymorphic trojan at present. TDS-3 is the only anti-trojan scanner capable of detecting this trojan,
" }-

I'm confused. Trojan Hunter lists Donald Dick 150, 153, 154, and 155 in its trojan definitions. Are these different from what you're talking about?

Douglas
" }-

TrojanHunter can't detect Donald Dick, accurately, if at all, If I run the Trojan, TrojanHunter's port rule detects it, but then again that is just the default port, which could be changed.

TrojanHunter can't detect the Trojan, so if one changes the port, Donald Dick uses TrojanHunter would miss it all together.

-{ Quote: " quoting: Jooske link=board=5;threadid=8499;start=15#55180 date=1050565666]
Yeah, the older lists like on mcafee i don't recall to have seen any version number at all, only the message there are several versions and names.



Hey Blazey! Your sig is in the wrong forum: it's TDS here!
Have you seen the DCS shoppe? Go and get there, be the first hurryyyyyyyyyyyy!
http://www.cafeshops.com/diamondcs/
Get your TDS and DCS collectibles NOW!
" }-

Jooske,

Get me a picture of you wearing a TDS tee shirt and I will use it in the GAV forum as a signature. Promise ;)

Regrads,
John

There are no pictures of me on internet except for my avatar and thus i'll keep it.
Might asp SnapDragin some day if she can change some pixels for me into DCS in my crystal ball :)
Was not asking for the drop bear or the roo yet.
But as Blazey made such a beauty for us with the most suitable captain of DCS euhmmmmmm see for yourself: this was made before the stuff shopped btw:
http://www.diamondcs.com.au/forum/showthread.php?s=&postid=13104#post13104

shoppe here
http://www.cafeshops.com/diamondcs/

KAV seems able to detect Donald Dicks up to 1.55, unsurprisingly. ;D

I wonder if DCS was maybe the first, as they tested with all the known scanners, updated, and Wayne would never post to be the only one if their scanners in the lab from other brands would have detected them, might be such a thing i guess.

anyway: for us users the most important the nasties are disarmed to the last nasty bit asap! As KAV is among my favorites av/at as recommended extra opinion, i would not have expected (hoped) less :)

Well, the last I updated my KAV was 12.04. and Wayne posted this thread on the 16th. Then again, KAV isn't an anti-trojan, so...

Hi vampirefo,

Please try scanning with today's ruleset update. TrojanHunter should now detect all Donald Dick servers.

Thank you Magnus, in name of the whole cleaned internet community with yet another contribution to detection!
Always great to see people contributing and alerting others adequately.
Does it with detection also clean out? Or do users need to do things manually like deleting registry keys and clean out system restore, bins etc?
I remember the older versions' descriptions with some instructions this is why i ask.
Hope nobody will get infected in reality, btw!

Hi Jooske,

Thank you! I'm always happy to improve TrojanHunter detection, especially in this case. And yes, I believe everything should be taken care of when cleaning this one.

-{ Quote: " quoting: Magnus link=board=5;threadid=8499;start=30#55250 date=1050597869]
Hi vampirefo,

Please try scanning with today's ruleset update. TrojanHunter should now detect all Donald Dick servers.
" }-

Thanks Magnus,

With todays update TH, was able to detect all Donald Dick servers, that I made.

Best Regards
Vampirefo

Now that xor/Michael has posted a method of detecting DD you'd think all anti-trojans could now detect it, but as of today only 2 do ... it remains an elusive trojan :)

>TDS-3 is the only anti-trojan scanner capable of detecting this trojan

Sure you detect any variant?

Hi Angelo, let's hope so! How many more variants are there in the meantime? Or am i now confusing versions with variants?
Did you try and successfully i hope, with your various tools?

Well ... i did a little test. I generated a little testset with 11.000 Donald Dick servers. Just executed 11.000 times the ddsetup.exe and copied the server into one directory.

After this I let GAV, TDS-3 and TrojanHunter scan the folder. Only TrojanHunter detected ANY veriant. GAV and TDS-3 missed 40 - 80 servers. I have no webspace available. So if someone has webspace just contact me at angelo.bachmayr@chello.at . I will send you the screenshoots and the tool that generates as many servers as you want automatically and i can post them here.

Wayne and Co:
Are you interested in the test set? I can upload them to a FTP server of your choice. Just write an email to angelo.bachmayr@chello.at .

Sounds interesting. It's ANZAC Day (a holiday) in Australia, so don't expect an answer before monday.
Thought you maybe found more variants after the 1.55.

Angelo,

Don't hesitate to send me the stuff mentioned; webmaster@wilders.org .

btw: talking unpacked newly generated servers here?

regards.

paul

I was just notified of this via SMS :)
Angelo we ended up creating over 4000 Donald Dick servers and were able to achieve 100% detection from that test set, Im surprised that your test set of 11000 was able to yield variants that weren't detected, but our detection technique is very specific (so as to avoid any false alarms), so it will be very easy to ensure detection of all 11,000 variants simply by relaxing the routine a little - essentially making it a little simpler. I've sent you an email - can you please send us the servers that _weren't_ detected and we'll re-vamp the detection routines on Monday.

Many thanks,
Wayne

-{ Quote: " quoting: Wayne - DiamondCS link=board=5;threadid=8499;start=30#56626 date=1051271025]...but our detection technique is very specific (so as to avoid any false alarms), so it will be very easy to ensure detection of all 11,000 variants simply by relaxing the routine a little.." }-

Sounds perfectly sound and reasonable to me - kudoos, Wayne 8).

regards.

paul

>Don't hesitate to send me the stuff mentioned; webmaster@wilders.org .
>btw: talking unpacked newly generated servers here?

Yes unpacked ones ;D. I did a rescan with the new database today but nothing has changed. 10934 of 11000 if i remember correctly.

I will do a rescan with TH and GAV with current updates and send them to you, admin.

BTW:
Is it possible that the "Notify on replies" does not work correctly?

-{ Quote: " quoting: Angelo Bachmayr link=board=5;threadid=8499;start=30#56633 date=1051273912]
>Don't hesitate to send me the stuff mentioned; webmaster@wilders.org .
>btw: talking unpacked newly generated servers here?" }-

-{ Quote: "Yes unpacked ones ;D. I did a rescan with the new database today but nothing has changed. 10934 of 11000 if i remember correctly." }-

Thanks for the info. Have a look at Wayne's reply in regard to relaxing the routine - upcoming monday as for detection from your freshly made trojan servers ;)

-{ Quote: "I will do a rescan with TH and GAV with current updates and send them to you, admin." }-

Much obliged - please zip/rar the file(s).

-{ Quote: "BTW:
Is it possible that the "Notify on replies" does not work correctly?
" }-

We'll check it out.

regards.

paul

The notifications should be sent to the email addy of your registration here, i get them properly of every thread i subscribed on, (big wish to have an option of notifications for all the threads in one forum!! so there would be no need to go through each thread individually)
but it can take minutes before i see the notifications in my mailbox.
I heard from another person not getting them, not sure why and if this was ever solved and how.

Ok ... i redid the test - now with 1000 ddick servers only. This are the results of TDS-3 ...

It detected 989 of 1000 ...

Now with GAV 3.5 ...

It detected 990 of 1000 ...

And last but not least Trojan Hunter 3.5 ...

It detected 1000 of 1000 ...

Angelo,

No offense, but this is useless. Please read the reply from Wayne - and answer to his email sent to you.

regards.

paul

And here are the logfiles of all programs as Tar GZip ....

-{ Quote: " quoting: Forum Admin link=board=5;threadid=8499;start=45#56644 date=1051277603]
Angelo,

No offense, but this is useless. Please read the reply from Wayne - and answer to his email sent to you." }-

Already done ;D. I did it even before i post my first reply ... .

Right. Angelo, I propose you perform the test again after DCS has taken action, being upcoming Monday, and you have had email contact with them.

Please refrain from further elaborating on this specific issue; as stated, there's nothing to add right now. I'd hate to close this thread until Monday...

regards.

paul

Sorry - i misunderstood you ;D. I thought i should post them now :D. Sorry ... my fault :).

Well, their up now. Let's rest this issue for the moment - at least until the new TDS3 database has been released upcoming Monday.

regards.

paul

Without posting results here, maybe you like to try out some scanning options making them on highest sensitivity or less sensible, if that could make any difference with the settings in the database now and less specific as Wayne is planning to do in the next database.
As you like testing so much!
I'm used to have all options on highest when scanning, but who knows what would happen if i allowed such settings changed a little :)

For those who aren't aware, "Angelo Bachmayr" is just one of the many aliases used by Andreas Haak (do a whois on a-2.org). He usually posts anonymously when attacking anti-trojan scanners - this way, less people will realise that he's the author of the outdated and poorly maintained ANTS trojan scanner - a scanner that, incidentally, doesn't detect Donald Dick at all, so why he's trying to attack TDS for allegedly detecting only 99% of Donald Dick servers, I don't know, but he has a lot more spare time up his sleeves than us.

Andreas, Angelo, whatever you've got to hide, you still haven't emailed me one single Donald Dick server that TDS doesn't detect, all you emailed me was a script to run the server generator 1000 times. A bat file would've accomplished the same thing, but in only a few lines rather than the hundred or so in your program. We generated 4000 servers and achieved 100% detection on those after a bit of massaging of our detection routine. Before you said you generated 11000 servers and TDS missed nearly 50. Now youre saying you only generated 1000, and TDS only missed about 10. Which one is it? How do we know you haven't modified those servers or doctored the images? You've wasted a lot of time in the past trying to attack TDS so nobody could put that past you, but I don't understand why you are wasting time testing GAV/TDS/TH against Donald Dick when your ANTS scanner doesn't detect it at all - shouldn't you be using that time to add detection to ANTS? I think your customers would much prefer you doing something constructive like improving your scanner rather than attacking others. This is accomplishing nothing. What exactly are you trying to prove, Andreas? If you have a server TDS doesn't detect, why won't you send it to us? And why hide behind the alias, why don't you want people to know that you're Andreas Haak?

Anyway that's enough Wasting Time With Andreas for another month. I'll see you all same time and place next month (if history repeats itself)..

Those who can, do.

Those who can't just b1tch, moan and throw rocks. Pete

-{ Quote: " quoting: Wayne - DiamondCS link=board=5;threadid=8499;start=45#56710 date=1051296543]
For those who aren't aware, "Angelo Bachmayr" is just one of the many aliases used by Andreas Haak.

What exactly are you trying to prove, Andreas?
" }-

I don't know what Bachmayr/Haak is trying to prove, when "Bachmayr" is indeed an alias of "Haak".

I only know I become a little tired of the attacks against TDS from Bachmayr/Haak, when he has personal problems with TDS/DiamondCS, the Wilders Forum is for sure not the right place to combat. >:(

Identity was known already. To avoid combats and flame wars and all that there was this invitation for a serious discussion between the developers via their emails, as when somebody really has to say something valid, there are listening ears. So please keep it nice and educational for us forum visiters and many of us non-specialists, and via personal emails between the developers so developers can seriously look into possible matters. So please spare us confusion if there ever was. For the good of all internet community.
The only discussion here seems something is made to detect a nasty in many forms and how to tighten or get less specific in a good balance to detect as many variants as possible and to avoid false alarms.
I would not like to think of the 11,000 servers getting lose on internet, so please keep them between the labs! thanks.

I guess most of you know i'm a loyal tds user, dcs customer, betatester, whatever. However, i take Wayne's response to Angelo to be rather inappropriate. I know that Andreas Haak has gotten on Wayne's nerves a bit too much, but that doesn't justify such an offensive reply. Now comes a bit of b1tching and if you want to skip it, my request is basically to focus on the question of whether there are DDick servers that TDS doesn't detect and if so, what measures can be taken by whom to remedy this.
Now, on with the quasi-flame (you decide if this refers to my posting or to Wayne's):

-{ Quote: " quoting: Wayne - DiamondCS link=board=5;threadid=8499;start=45#56710 date=1051296543]
For those who aren't aware, "Angelo Bachmayr" is just one of the many aliases used by Andreas Haak (do a whois on a-2.org).
" }-
Actually, no. If you in fact go to a-2.org (it's redirected to a discussion forum) you'll see that while a-2 is indeed Andreas H.'s project of a new AT (which seems to still have some way to go), there are a couple of volunteers (remember that Ants is/was freeware?) that have offered to help (graphics, website, PR, Autostart entry-checking etc) and Angelo is one of them.

-{ Quote: "
He usually posts anonymously when attacking anti-trojan scanners - this way, less people will realise that he's the author of the outdated and poorly maintained ANTS trojan scanner
" }-
Also, he didn't exactly try very hard to hide his identity. See the a^2 logo he uses as an avatar? He didn't even "attack" anyone or anything. He just told you that on his findings, your detection can be improved - he posted extensive results (even apologized for a misunderstanding he had with Paul) and as of now i don't see a reason not to trust him.

-{ Quote: "... a scanner that, incidentally, doesn't detect Donald Dick at all, so why he's trying to attack TDS for allegedly detecting only 99% of Donald Dick servers, I don't know, but he has a lot more spare time up his sleeves than us." }-
He's just one who's spend his time here discussing usage, possible misses/false positives - just like all the rest of us, so we don't have so much less spare time up our sleeves than he.

-{ Quote: "
Andreas, Angelo, whatever you've got to hide, you still haven't emailed me one single Donald Dick server that TDS doesn't detect, all you emailed me was a script to run the server generator 1000 times. A bat file would've accomplished the same thing, but in only a few lines rather than the hundred or so in your program.
" }-
If you are suggesting that he has put up some fake test and keeps the servers private so that no one finds out, that should be easily cleared up sooner or later because he has offered to send the files (the actual server files) to more people than just you. To Paul, for instance. So, have you run the script and generated 10000 servers and scanned them with TDS and obtained different results, Wayne? Then (and imho only then) he should send you his 10000 servers. But i'm sure you can also ask to have the actual server files sent to you and not just the script. (Okay, i'm a bit too harsh, actually you have asked to have only the undetected actual server files sent. So, Angelo, will you do this? Supposed that Waynes rudeness hasn't driven you away...)

-{ Quote: "
Before you said you generated 11000 servers and TDS missed nearly 50. Now youre saying you only generated 1000, and TDS only missed about 10. Which one is it?
" }-
Both. Read his postings. More carefully.


-{ Quote: "...but I don't understand why you are wasting time testing GAV/TDS/TH against Donald Dick when your ANTS scanner doesn't detect it at all
" }-
i think there are people around that test AV/AT's and they don't even have coded a AV/AT-scanner. So there could be other motivations for that, couldn't it?

-{ Quote: "
shouldn't you be using that time to add detection to ANTS? I think your customers would much prefer you doing something constructive
" }-
No ants-customers. No a^2 customers. And up to now, it has been constructive.

That's it - and i've not even mentioned the enlightening discussion i've had with Angelo about the old TerminateProcess problem in the other thread - for me, that (and he speaks of TDS-4 rather benevolently there) is enough of a proof of his good intentions.

Rgds,
Andreas (W)

PS. Angelo, sorry to refer to you mostly in the third person. CU.

There is certainly a long history between the different people involved in this discussion, and I won't even try to come down on one side or the other. For myself, I don't use TDS3, and I've never tried Ants (now A²) either, but, I am a member over on the A² Forum, and I look forward to whatever develops there.

I don't know first hand whether TDS finds 100% of the mentioned trojans, or if it misses some as generated by Angelo's script. I'd be really happy to see Angelo send some of the undetected trojan files to Wayne, as that is certainly the right thing to do. Or, for that matter, send them to Magnus, or to Gladiator, or anyone else he thinks would be a fair judge on this issue, if he's concerned that they'd be better received there.

Personally, I really like to see the different developers engaging each other, and sharing their findings for the greater good. And, like Jooske, I'd really like to see them debating and discussing these techincal issues fairly in a forum somewhere, whether here or elsewhere would be fine with me. It'd be great to see intelligent discussions on these topics.

I'm rather stubborn and did suggest this various times to please open either a developers discussion thread or forum, be it only accessable for developers with subscription or open for others to read if that would be useful.
I think there is so much to do in the security world and several views and experiences, other developers might be good judges who can be really helpful if their intentions are constructive comments. We betatesters are ok in telling what the software does on our system and if we like it or which feature we like to be built in, but the developers who are willing to spend time to take out another product to the bottom and are able to tell how things can be done with more security or whatever and are willing to tell the persons who created the product honestly etc etc etc
I was really happy seeing it happening a bit earlier in this thread and after one guy telling how to others getting clues to add the detection into their products too.
I think fighting is mainly a waste of energy which can be spent in development.
Please keep the discussions open and serious.

On internet it's a rule if you find problems in software to inform the developer by email personally what and why and maybe which tests showed it and/or to send in the materials so the developer can test it in his own lab and take measures.
If after a reasonable time nothing has been done about it, one can post in the open, but please do it in a respectful way.

I would be really happy and proud if such a protected for developers only space was here hosted in the forums, as this forum has the name to be among the highest in serious security discussions and information and developers of top notch software come visiting and educating people here.


LWM: sorry to read you're not using TDS3; it's up to you, of course but i really like it and it's part of my road on internet, which before TDS2 when i was not aware of the excistence and the need was really a pricy and sad experience.

>For those who aren't aware, "Angelo Bachmayr" is just one of the many aliases used by
>Andreas Haak (do a whois on a-2.org).

Oh well ... are the owners of trojaner-info.de "Andreas Haak" too cause they have an email address at yaw.at? Do a whois at yaw.at, it belongs to Andreas. Or is Gavin Wayne cause Gavin has an email address at diamondcs.com.au and it belongs to Wayne? Or is Jooske Wayne cause she has a link to DCS inside her signature?

Well its a little bit paranoid. Andreas has some co workers and personal friends. I am one of them ;D.

>Andreas, Angelo, whatever you've got to hide, you still haven't emailed me one single Donald
>Dick server that TDS doesn't detect, all you emailed me was a script to run the server
>generator 1000 times.

I pleased Andreas to send you the server generator - its his program. Its not a script its a tiny delphi application. Sure there are many ways to solve a problem. You can use a batch, too.

BTW:
The generator is his program. Thats why i pleased him to send it to you. I do not know if it is ok if i send his files do third parties. As far as i remember he send the executable and the delphi source.

>Before you said you generated 11000 servers and TDS missed nearly 50. Now youre saying
>you only generated 1000, and TDS only missed about 10. Which one is it?

Both. Look what i said:

"I redid the test. Now with 1000 servers only."

1000 servers cause most scanners are damned slow and it took too much time to scan all of them. So i generated 1000 new one.

>How do we know you haven't modified those servers or doctored the images?

Thats why i pleased Andreas to send you the generator so you can redo the test. I didn't know that you have an own "generator".

>You've wasted a lot of time in the past trying to attack TDS so nobody could put that past you,
>but I don't understand why you are wasting time testing GAV/TDS/TH against Donald Dick
>when your ANTS scanner doesn't detect it at all - shouldn't you be using that time to add
>detection to ANTS?

Well ...

1. Andreas is a little bit "own" and a little bit hard to come along with him. I guess you and Paul know what i am talking about. Thats why I suggest him to handle the public stuff of a² (advertisment, update alerts and so on) for him.

2. ANTS does not exist any more and it is not a secret that the project is closed. A² will be able to detect it of course.

3. Why i did that? Cause I am interesting in security stuff. I do a lot of testing if i have enough time (at the moment i have not so many time cause i am taking A levels at the moment). Why Andreas did that? Well ... ask him not me ... his personal address is andreas.haak@chello.at or haak.a@yaw.at or haak.a@a-2.org .

>If you have a server TDS doesn't detect, why won't you send it to us? And why hide behind
>the alias, why don't you want people to know that you're Andreas Haak?

Cause i am not Andreas. Why i didn't send you the server? Quite simple. Imagine you have 11000 server files and only about 50 of them are undetected. But the scanner is not able to delete all infected files. It is only able to delete every single file. Would you give the vendor the undetected files or would you give him the information and tools to redo the test by his own? ;D

But ok - Copy and Replace inside the report did its job quite well and i generated a batch script. This servers are on its way. ;D

BTW:
And yes, I want a PERSONAL letter of apology for this blackbiting.

Angelo, thanks for the many explations and informing the internet community about the situation.
I'm sorry this all happened.
One reason more to ask to have a "developers talk among them" place in the forums here somewhere, and we really hope the brains are talking as there are some real wizzpeople among you. Are? I've not the brains to decide that, it's my humble impression.
I would be really sorry if we need to carry around first aid and life support through a forum created for security matters! As although i'm a woman, my name is not Florence Nightingale.

But a rule really is to send possible errors and vulnerabilities in other developers software in private emails first and give a chance for repairs and corrections first.
Angelo, Wayne was/is open for such comments as he posted his personal email address to receive the tests/files/servers and see what you mean.
In name of the wellbeing of internet community as a whole please burry the boomerangs and tomahawks and communicate. Thanks a lot!
Again, sorry this happened.

Seems like old conflicts and emtions coming with them are taking over once in a while. Although - since we are all human - on ocassion this will happen, fairly all of the times there are no winners in such a situation.

Thus: let's get back on track here, and focus on the real issue(s) at hand, Angelo being Angelo, a co worker from Andreas Haak, Wayne being Wayne fro DCS, etc. leaving possible flaming behind us once and for all - all parties involved please ;).

Angelo, thanks for explaining and providing the servers. No doubt DCS will examine the files and handle them the appropriate way.

I do regard the "personal issues" being left behind; if not, established email contact between you and DCS is the way to go to sort them out - this board/forum definitively isn't. My inbox is open as ever as well.

Back to business as usual! ;).

regards.

paul

Andreas, thanks for taking the time to send me some servers, we'll analyse them and revise the detection algorithm first thing tomorrow for tomorrows update.

good to see things appear to be sorted out. I want to apologize, too. Must have had a bad day ;)
See you soon, happy computing to all,
Andreas (W)

-{ Quote: " quoting: Andreas(W) link=board=5;threadid=8499;start=60#56953 date=1051368534]
good to see things appear to be sorted out." }-

I second that ;)

-{ Quote: "I want to apologize, too. Must have had a bad day ;)" }-

Andreas, we're all human - ask my wife about my bad days ::) ;D

regards,

paul

-{ Quote: " quoting: Forum Admin link=board=5;threadid=8499;start=60#56958 date=1051370422]Andreas, we're all human - ask my wife about my bad " }-

I am not his wife but it's true ;D ;D ;D
;) -> for paul ;D

Thanks a lot guys to talk reason again. Was counting on that so i did some nice shoppings for myself.
Salut guys, on your health and of the whole secured internet community with the top notch software!
Proud to be a supporter!

-{ Quote: " quoting: xor link=board=5;threadid=8499;start=60#56982 date=1051381225]I am not his wife but it's true ;D ;D ;D
;) -> for paul ;D" }-

You promised not to tell anyone! ::) ;)

ppff.... this thread got a bit messy. I hope all u guys didn’t waste too much time on this talk "atm anti-trojan program X does 1% better then anti-trojan program Y". To my opinion its professional of the TDS team to seriously go into the matter. What i DO NOT consider professional is makers or friends of makers of competing products to go show muscle in someone else’s home. But again... it got a bit too messy for me to be able to follow it all.

Take care ya all,

Peace

P.s. 'anonymous' or 'clone' posts on forums shouldn’t be taken too seriously. Good work on the DD polymorph Wayne!

ICQ, as you can see the problems are solved. Developers are showing they're but human too.
The wonderful part of this thread is that you see several developers each with their own experience and background jumping in and even helping each other in creating rules so all their different software products are able to detect this nasty. At times a little head banging but as all feel it a responsibility to take care of their users and the internet community as a whole in the end it's a series of products with yet another good detection added for new future nasties too --i think you can imagine it's a tough job to keep on top of it these days!-- and a hand and a drink and all are happy.
It is reason why there are developers only forums to communicate among them so the public in most cases is not aware of these communications.
Doesn't it feel like looking into the kitchen? Don't be shocked, they aren't not even after some headbanging and this one is forgotten already and all have grown of it, good for all!

Sorry, I didn't mean to shitstir ;)