is there a working tool to find out unknown trojans ?

[mantra]

Hi
is there a working tool to find out unknown trojans ?

i talking about trojans (not spread around internet) but coded by users and installed on some machine to take the control or spy the user

i know for sure , that there are some trojans , not recognized by anti malware or firewall , created by users to spy the computer activity

i know because i had a talk yesterday with an operator of ministry of interior

he told me they are not recognized by the best firewall and malware software

but there are software that can scan and find out them, he did not told me nothing about this software

well i ' m not paranoid , and i'm not worried about police or secret service , but i 'm worried by a unknow user that can steal my credi card or password or other sensitive data


i would appreciate every suggestions

cheers

[Cudni]

no need to be worried. it is unlikely any malware, let alone some secret agency one, will be installed if you follow usual security precautions often mentioned in these forums.

[mantra]

Quote:

Originally Posted by Cudni

no need to be worried. it is unlikely any malware, let alone some secret agency one, will be installed if you follow usual security precautions often mentioned in these forums.

thanks Cudni , by the way there are malware not spread around the net,codec to spy a specific machine

but is there a port scanner or some tool that let me know if there is some unknown malware(keylogger, remote acess and so on) , just for some test

i have only nod4 and Malwarebytes Anti-Malware
cheers

[fax]

You could use Comodo Cleaning Essential but if you don't know what to do and where, you can do more damage than fixing

http://www.comodo.com/business-secur...essentials.php

Better to have your system reviewed by malware experts at bleepingcomputer or spywarehammer and most of all no paranoia since what you have been told its 99% FUD.

[kdcdq]

I agree with Wilders' member 'fax' 100% on this one.

BUT, just in case the suspected trojans could possiblly be detected, I would scan your machine with Hitman Pro, Malwarebytes Anti-Malware free, and SuperAntiSpyware free. Just my $.02 worth.....

[mantra]

Quote:

Originally Posted by kdcdq

I agree with Wilders' member 'fax' 100% on this one.

hi
if i may about what?
use

Quote:

have your system reviewed by malware experts at bleepingcomputer or spywarehammer

?


or run Comodo Cleaning Essential & Hitman Pro ?
can these 2 programs scan only the running process via cloud?
do they use md5 hash?

Hitman pro doesn't scan all the memory ,i load many programs and it scanner few items

thanks
cheers

[mantra]

Quote:

Originally Posted by fax

Better to have your system reviewed by malware experts at bleepingcomputer or spywarehammer and most of all no paranoia since what you have been told its 99% FUD.

thanks Fax

about them , are 2 forums?
do you think i need them ?
or is enough comodo and hitman pro?

cheers

[fax]

Bleepingcomputer or Spywarehammer

What is enough? To keep your system and applications fully updated and run a solid security tool. Keep it simple, master one tool and mind all pop-ups you receive. Setup a policy for your passwords and use a tool to manage them.

Don't beleive all what you hear around you. Relax, sit back and happy surfing.

[mantra]

Quote:

Originally Posted by fax

Bleepingcomputer or Spywarehammer

What is enough? To keep your system and applications fully updated and run a solid security tool. Keep it simple, master one tool and mind all pop-ups you receive. Setup a policy for your passwords and use a tool to manage them.

Don't beleive all what you hear around you. Relax, sit back and happy surfing.

thanks Fax

may i ask only 1 question ?
about Hitman Pro 3.5 and Comodo Cleaning Essentials
is there a true portable version of Hitman Pro ?
Comodo Cleaning Essentials in the homepage is declared to be portable , but i don't think stealth

Quote:

when an application is launched, used and terminated properly, it does not leave behind any entries in the registry or filesystem.

thanks again Fax , about the 2 programs only because it could be useful have them in the stick pen

cheers

[fax]

You may want to check in the specific "support hitman pro" thread at Wilders. A quick search in that thread resulted in:

Quote:

Originally Posted by atomomega

Are you running it 'installed' or 'portable'? Thing is first tiem you run HMP on any computer it will ask if you want to install it so you can run future scans or if you just want to run s single-time scan. If this second option is chosen, any config will not be saved.

More questions should be posted there...

[mantra]

Quote:

Originally Posted by fax

You may want to check in the specific "support hitman pro" thread at Wilders. A quick search in that thread resulted in:



More questions should be posted there...

thanks
and about comodo?
do you use it, is full portable?

[badkins79]

Sorry to break it to you, but no antivirus scanner is going to help you detect a custom piece of malware that an organization has targeted against you. These scanners are signature based, and until a piece of malware has spread around a lot, the makers of scanners will not get an opportunity to make a signature.

[mantra]

Quote:

Originally Posted by badkins79

Sorry to break it to you, but no antivirus scanner is going to help you detect a custom piece of malware that an organization has targeted against you. These scanners are signature based, and until a piece of malware has spread around a lot, the makers of scanners will not get an opportunity to make a signature.

thanks
i agree
but is there a port scanner ? or a software that let me have full control ?
in short something to detect manually a possible malware

[badkins79]

Quote:

Originally Posted by mantra

thanks
i agree
but is there a port scanner ? or a software that let me have full control ?
in short something to detect manually a possible malware

Well, I'll try to run down some methods.

A port scanner would probably not help. Because everyone uses NAT, malware is coded to call out rather than be called into. So there won't be any open ports except for during actual communications, which may be for just a few seconds per day.

If the malware has rootkit functionality like file or registry hiding, it might make it easier to find. There are rootkit scanners that are pretty good or they can take a file and registry listing with your full system up and another one with your drive on its own and look for differences. Because of this, malware may choose to hide in plain site.

A piece malware hiding in plain site and not using a trivial method for getting execution (run key or startup folder) is extremely hard to find on a desktop OS. Without some clues about what to look for, its unlikely you will find it. Especially if it doesn't do any thing to let you know something is wrong.

[Chiron]

Hello, I wrote an article specifically meant to be able to tell if your computer is infected by malware even if it hasn't yet been analyzed by any vendor.

Please read How to Know If Your Computer Is Infected and let me know if you have any questions.

Thanks.

[mantra]

Quote:

Originally Posted by Chiron

Hello, I wrote an article specifically meant to be able to tell if your computer is infected by malware even if it hasn't yet been analyzed by any vendor.

Please read How to Know If Your Computer Is Infected and let me know if you have any questions.

Thanks.

wow
i'm starting to read
it will take a while to understand
but look very . interesting, would be very useful, helpful have it in pdf too

thanksssss
cheers

[Kees1958]

Daily life risk assessment

Because it is a fact of daily life it could happen to me, but what are the odds?


Risk aware - insider

Because it is well possible, it could happen to me, but what are the odds when I am not in the target group?


Paranoid - enthousiast

Because 'they' say it is possible, it could happen to me, how can I protect myself against this risk?


When in paranoid mode there is plenty to worry about
1. Malware found in digitally signed software
2. SMS Trojans packed with legitimate android games
3. Backdoors found in US military chips developed in China (so all owners of iphones and ipads are screwed because they are build in China also ).

No real protection against man in the browser? Oh boy are you screwed, all these mallware, trojans, backdoor options and you are still banking with confidence? When seriously in doubt, have a look at regrun reanimator (my personal preference anti-trojan) and avz antiviral toolkit (my pesonal preference anti-rootkit), HitmanPro and Mbam.

[tuatara]

Quote:

badkins79 wrote:
Sorry to break it to you, but no antivirus scanner is going to help you detect a custom piece of malware that an organization has targeted against you. These scanners are signature based, and until a piece of malware has spread around a lot, the makers of scanners will not get an opportunity to make a signature.

This is not longer the case, but it was true in the early days of antivirus software. Most antivirus programs also use heuristics,
which are Behaviour scans.

A good example is HitManPro which has build his it's software on this concept, but does a lot more.

They write:
"SurfRight has done an extensive research of malware files to determine the common characteristics (behaviour) of malware. The Hitman Pro client uses this research in its Behavioural Scan" see: http://www.surfright.nl/en

Most AV's use active and passive heuristics. see: http://kb.eset.com/esetkb/index?page...=MAL&actp=LIST

A quick look at Gmer , see: http://www.gmer.net/

Will show you that:
It scans for:
hidden processes
hidden threads
hidden modules
hidden services
hidden files
hidden disk sectors (MBR)
hidden Alternate Data Streams
hidden registry keys
drivers hooking SSDT
drivers hooking IDT
drivers hooking IRP calls
inline hooks


With the number of new malwares a day, it is no longer possible
to just add these one by one to a virus definition database.
If they did, it will have outgrown your OS by now

Most AV's are more advanced and complicated then this.
For example most of them will trick the malware to start in their AV virtual environment,
so that the malware 'thinks' it runs in the real OS, just to find out what it tries to do after it starts.
But of course malware builders, know this, and build malware that will not start in a virtual environment etc.

But badkins79 has a point that there is no AV with 100% detection yet.

Another thing is, you can perhaps scan for unwanted software, but adding hardware to your pc, like a hardware keylogger
or sniffing it's connection can also be done..

[RJK3]

Learn how trojans infect, and then it's just a matter of looking for them. A trojan is just a program running like any other - the difficulty in finding them relates to how well they are stealthed.


Simple method:
Simplest tool is MSCONFIG, which will find simple trojans that are set to run in the standard registry keys. Similarly, Windows task manager will find simple trojans that are already running, and in Windows 7 you can also view the command line which is useful for things like DLLs.
Weakness: Many trojans will pretend to be normal system processes, or if there is a rootkit then they won't appear at all. MSCONFIG only shows a small selection of autorun registry points, and doesn't look at the browser.

Slightly more sophisticated:
More sophisticated would be using something like SYSINTERNALS AUTORUNS to see all the autorun locations; and something like PROCESS EXPLORER to see what is running. They include methods to check the digital signature of files
Weakness: Digital signatures can be false. If there is a rootkit then the malware will be hidden - running AUTORUNS offline may help (e.g. from a bootable CD).


There are dedicated forums for helping people find unknown malware, and they'll use various tools including DDS & OTL to look at many system settings.

Most of the really nasty stuff will be a rootkit. There are various methods of concealing the rootkit - replacing system drivers, infecting the boot sector, hidden partitions, even infecting the motherboard (mainly to continually infect the boot sector of the HDD). Some tools (e.g. GMER) will help you find an active rootkit while Windows is running, using various clever methods.

Other offline methods involve checking and comparing the checksum of system drivers to see if they differ from known values; or checking the MBR to see if it standard; using standard tools to check for hidden partitions. A bit of basic computer knowledge helps, e.g. knowing that branded computers come with non-standard MBRs, and hidden partitions may be a recovery partition.


Once you actually find something that you think is a trojan - then there are sites that'll test the program to see what it does, e.g. http://anubis.iseclab.org/. You can also check it at VirusTotal to see if it matches the heuristics of any AV.

[PeZzy]

Quote:

Originally Posted by mantra

i have only nod4 and Malwarebytes Anti-Malware

Just want to point out that Malwarebytes does not scan hidden partitions which is a common place for sophisticated Trojans to hide their goods. The "pro" version is useful for website blocking and prevention.

One on-demand scanner that analyzes hidden partitions is Hitman Pro.

The best prevention is to keep updating Windows, all Adobe software and Java.

[nosirrah]

Quote:

The best prevention is to keep updating Windows, all Adobe software and Java.

I would like to emphasize that I intentionally use out of date java and acrobat on my malware hunting machine. It makes it a snap to capture the really nasty stuff.

[AMIGA500]

I would imagine if such a tool existed then it would be incorparated into the majority of anti virus products out there.
Regards.

[tipo]

you should try trojan remover. it doesn`t alot of trojans, it detects the damage and modifications a trojan did to your files...it`s a simple scanner but it`s a "must have" tool for me.
http://www.simplysup.com/

[Magnus Mischel]

We have several algorithms in TrojanHunter to detect unknown new and altered trojans. For example, we have code that alerts on certain known malware packers). We also check the compiled code for markers typical of malware. These detections will be prefixed with "Generic" and alerts you to a possible new or unknown piece of malware.

[phalanaxus]

Quote:

Originally Posted by Magnus Mischel

We have several algorithms in TrojanHunter to detect unknown new and altered trojans. For example, we have code that alerts on certain known malware packers). We also check the compiled code for markers typical of malware. These detections will be prefixed with "Generic" and alerts you to a possible new or unknown piece of malware.

Searching for code markers of typical malware (heuristic analysis) and searching for malware packers (results in a good number of false positives generally) have been available in most of the security products for a long time. What's Trojan Hunter's take on these points that makes it special ?

Low level scanners like DDS,OTM,etc. do better in case of detection of unknown or new threats compared to conventional solutions imo.