New Trojan Test

[Rmus]

Quote:

Originally Posted by kareldjag

Hi,

The first goal of this trojan demonstrator tool is to show that data can be stolen.
Then blocking the executable or internet access is not the most interesting.

Regards

Greetings, kareldjag from this side of the Atlantic!

Well, blocking may not be the most interesting, but it is the most effective.

What a trojan does -- listing all of the files it loads, viewing the process requests -- this may be very interesting to some, but of no real importance to those who are just interested in protecting the system from attacks.

This demo is like firewall leaktests and even the feared rootkits (which are also just trojans) - they all have to install before they can execute anything.

So, blocking from installing should be of great interest!

regards,

-rich
________________
~~Be ALERT!!! ~~

[Chris12923]

Blocking is the easiest but what if this was an unknown program that didn't look suspoicious. Most people would just let it install. This is where you need an app that tells you what it's really doing. I mean you can block every new .exe but then what? Never download anything from freeware/shareware sites? Maybe I'm missing something?

Thanks,

Chris

[toploader]

Quote:

Originally Posted by kareldjag

Trust-no-exe block automatically unknown executable:

hi Kareldjag - as i understand it trust-no-exe will allow any exe to run if it comes from your allow list - e.g windows directory, program files directory etc etc - so if the trojan.exe installed itself in one of the trusted directories presumably it would run and trust-no-exe would not stop it?

[toploader]

Quote:

Originally Posted by Rmus

Greetings, kareldjag from this side of the Atlantic!

Well, blocking may not be the most interesting, but it is the most effective.

What a trojan does -- listing all of the files it loads, viewing the process requests -- this may be very interesting to some, but of no real importance to those who are just interested in protecting the system from attacks.

This demo is like firewall leaktests and even the feared rootkits (which are also just trojans) - they all have to install before they can execute anything.

So, blocking from installing should be of great interest!

regards,

-rich

hi Rich - may i ask what HIPS program you are using to test this sim trojan? (the one with beware of the dog)

[TNT]

Quote:

Originally Posted by Chris12923

Blocking is the easiest but what if this was an unknown program that didn't look suspoicious. Most people would just let it install. This is where you need an app that tells you what it's really doing. I mean you can block every new .exe but then what? Never download anything from freeware/shareware sites? Maybe I'm missing something?

I don't think people should download and run whatever they see on the Internet or they get by mail. The Internet is not a trusted place; you should only download software from trusted sources, and possibly check the GPG/PGP sign or the MD5/Sha-1/Sha-256 checksum if they provide it. "Downloading and running a free little desktop game I saw" is not an option; it shouldn't be done, period. If you're suspicious about a software you want to run (and that does NOT mean "you want to run a suspicious software") you can test what it does on the filesystem by running something like sandboxie, both during installation and during the execution; that adds a little extra knowledge about the software's behaviour, but it's not perfect as it's not continuous monitoring. In my opinion, if you think you need continuos monitoring on an application you downloaded because you suspect it might contain malware, you shouldn't have installed/executed it in the first place.

[bigc73542]

processguard does alert to the trojan demo

[Rmus]

Quote:

Originally Posted by toploader

hi Rich - may i ask what HIPS program you are using to test this sim trojan? (the one with beware of the dog)

Greetings, Toploader, it's Anti-Executable from Faronics. It's not a HIPS program (as I understand the definition) - only anti-execution protection.

I meant to ask kareldjag about "Trust-no-exe" which he showed also blocked the trojan - whether it blocked the downloading, or it downloaded and was blocked from running.

regards,

-rich
________________
~~Be ALERT!!! ~~

[Rmus]

Quote:

Originally Posted by Chris12923

Blocking is the easiest but what if this was an unknown program that didn't look suspoicious. Most people would just let it install.

Hi Chris,

I wish I had a formula answer for that, but I just depend on my own judgment in each case.

Quote:

This is where you need an app that tells you what it's really doing. I mean you can block every new .exe but then what? Never download anything from freeware/shareware sites? Maybe I'm missing something?

I keep the install.exe/Zip file of every program I've downloaded - most of which I just try out and later discard. My current Zip folder has 247 programs - about 3 years worth. Recently, I previewed 4 music writing programs. I've never felt insecure about the sites I download from, nor from websites of people who develop freeware, probably because I've read about the site/ person and feel confident that it is a secure site and/or trusted person.

regards,

-rich
________________
~~Be ALERT!!! ~~

[toploader]

thanks Rich - looks interesting - is it equivalent to process guard (free version) do you think?

it seems to be marketed to major organisations the price calculator does not offer a home version.

[toploader]

Quote:

Originally Posted by Rmus

I meant to ask kareldjag about "Trust-no-exe" which he showed also blocked the trojan - whether it blocked the downloading, or it downloaded and was blocked from running.

my limited understanding indicates that it stops execution (if executing from an unauthorised directory) i don't think it would stop downloading?

[Chris12923]

Quote:

Originally Posted by TNT

I don't think people should download and run whatever they see on the Internet or they get by mail. The Internet is not a trusted place; you should only download software from trusted sources, and possibly check the GPG/PGP sign or the MD5/Sha-1/Sha-256 checksum if they provide it. "Downloading and running a free little desktop game I saw" is not an option; it shouldn't be done, period. If you're suspicious about a software you want to run (and that does NOT mean "you want to run a suspicious software") you can test what it does on the filesystem by running something like sandboxie, both during installation and during the execution; that adds a little extra knowledge about the software's behaviour, but it's not perfect as it's not continuous monitoring. In my opinion, if you think you need continuos monitoring on an application you downloaded because you suspect it might contain malware, you shouldn't have installed/executed it in the first place.

So based on what your saying we don't even need security software besides maybe a firewall since no one should download anything that they think might be suspicious? I doubt this is likely to happen and besides that there are some very well known software that can be infected. This story is old but you get the point http://www.sophos.com/virusinfo/arti...mda_korea.html. Maybe 1 out of 100,000 users (if that) will preview their documents with sandboxie type software. That is why we need addidional software.

Thanks,

Chris

[TNT]

Quote:

Originally Posted by toploader

thanks Rich - looks interesting - is it equivalent to process guard (free version) do you think?

it seems to be marketed to major organisations the price calculator does not offer a home version.

There is a home version for 29 dollars. http://www.faronics.com/html/orderFS.asp
That said, I like Process Guard much better. It looks to me like Anti-Executable is more suited for something like Internet Cafes (associated with Deep Freeze) than a home user; it is MUCH more restrictive than Process Guard: it won't ask you if you want to run a new application: you won't run it, period. If I'm not mistaken you'll have to rebuild the whole "allowed applications" database if you want to execute the new application.

[toploader]

Quote:

Originally Posted by TNT

There is a home version for 29 dollars. http://www.faronics.com/html/orderFS.asp
That said, I like Process Guard much better. It looks to me like Anti-Executable is more suited for something like Internet Cafes (associated with Deep Freeze) than a home user; it is MUCH more restrictive than Process Guard: it won't ask you if you want to run a new application: you won't run it, period. If I'm not mistaken you'll have to rebuild the whole "allowed applications" database if you want to execute the new application.

thanks TNT - some of the user reviews on download.com state there are a number of restrictions in the free version of PG that effectively make it demoware is that true? (see below)

*********************************************************
This is NOT free. It is a max "50 attacks max protection" after = defense less

11-Jun-2005 12:27:24 AM
Reviewer: gonebythebay

Pros: Hard to say what the pros might be as only 5 minutes into surfing a message came up saying this will only protect against 50 intrusions, and to cough up the money if i want unlimited protections

Hey, this might be good, but no chance to trial it. (Unless you want to compromise your security)

Cons: -Do you think an attacker is going to stop and say, "ooh, im sorry, ill stop trying to get into your system, as i am feeling generous and pulll back from my 30 rounds this minute while you are trialing your software."

(I have in the past used software, which indicates the "attempt patterns of hackers. Some of them just fire of a succession of intrusion attemps)

-software is NOT FREE- but a 50 attack limited version. WHICH WILL ABSOLUTELY COMPROMISE YOUR SYSTEM IN THAT TIME IT TAKES YOU TO REALISE THIS,, DISCONNECT THE MODEM,,, AND THEN PUT UP SOMETHING IN ITS PLACE.- So i just turned it off.

-As i said this may be good, but i dont know, and would not advise trialing, but to buy if you want to try it.
*********************************************************

A must have security tool

07-Aug-2005 10:10:43 AM
Reviewer: darui_br

Pros: It's a incredible tool for all Windows users! Protect from unauthorized applications to run without your knowledgement - Astalavista spywares (-:

Cons: Supports only 256 applications. But I think in next version this problem will be corrected
*********************************************************

[TNT]

Quote:

Originally Posted by Chris12923

So based on what your saying we don't even need security software besides maybe a firewall since no one should download anything that they think might be suspicious? I doubt this is likely to happen and besides that there are some very well known software that can be infected.

(a) for well known software, it's unlikely that it would happen without the problem being pointed out very soon, and (b) digital signatures like PGP and file checksums like sha-1 and the like prevent it, and personally I always check those if they are available (it's theoretically possible to overcome them by cracking many mirror sites, replacing the signatures, building fake public keys, etc... but in real world that would so extremely hard that malware distributors just wouldn't be able to).

Anybody has its own view on how much 'trust' you can put in a software; I'm not saying you should only run what you KNOW FOR SURE WITHOUT ANY POSSIBLE DOUBT WHATSOEVER to be 100% safe, 'cause that's simply not possible. What I'm saying is that users should be always very careful, not sloppy, about the software they get. That's all.

[Rmus]

Quote:

Originally Posted by toploader

thanks Rich - looks interesting - is it equivalent to process guard (free version) do you think?

No, PG does more things than AE. I see that posts above have explained pretty well.

regards,

-rich
________________
~~Be ALERT!!! ~~

[toploader]

hi Rich - the reason i asked is that the free version seems to be very restricted (see above post to tnt)

[Rmus]

Quote:

Originally Posted by toploader

hi Rich - the reason i asked is that the free version seems to be very restricted (see above post to tnt)

AE is anti-execution prevention only. See here:

http://www.faronics.com/html/AntiExec.asp

http://www.diamondcs.com.au/processg...?page=download

regards,

-rich
________________
~~Be ALERT!!! ~~

[Chris12923]

Also another good execution prevention app EXE Lockdown http://www.horizondatasys.com/produc...html?page_id=4 and I'm not sure if you have to rebuild the database on anti-executable but with EXE Lockdown you can easily add apps to the whitelist.

Thanks,

Chris

[Rmus]

Quote:

Originally Posted by Chris12923

I'm not sure if you have to rebuild the database on anti-executable

When you turn off AE to install a program and then turn AE back on, the program is auto-added to the database (whitelist).

regards,

-rich
________________
~~Be ALERT!!! ~~

[TNT]

Quote:

Originally Posted by Rmus

When you turn off AE to install a program and then turn AE back on, the program is auto-added to the database (whitelist).

Thanks for clarifying. I wasn't sure you had to rebuild the whole db; you don't have to reboot (like in Deep Freeze) right?

[Rmus]

Quote:

Originally Posted by TNT

Thanks for clarifying. I wasn't sure you had to rebuild the whole db; you don't have to reboot (like in Deep Freeze) right?

No rebooting necessary with AE to add to the database.

regards,

-rich
________________
~~Be ALERT!!! ~~

[Rmus]

Quote:

Originally Posted by Chris12923

Also another good execution prevention app EXE Lockdown http://www.horizondatasys.com/produc...html?page_id=4 and I'm not sure if you have to rebuild the database on anti-executable but with EXE Lockdown you can easily add apps to the whitelist.

Thanks,

Chris

This is the old Exe Vaccine program, one of several *vaccine products. Very impressive product. It works a little differently than Anti-Executable. Both let you easily add to the whitelist.

Again, these are not "HIPS" products, since they provide just anti-execution prevention, but are useful in certain situations and setups.

For purposes of these trojan tests that seem to be appearing as of late, these types of anti-execution protection prevent the demo.exe from running, so if you want to test your system, you have to disable the anti-exe program.

As such, those who don't run other AV/AT that detect/block the demo from running are said to flunk the test because the spy.txt file the demo creates contains information about your system. This in view of the fact that a properly configured firewall blocks the demo from sending out that information to their web site, as I demonstrated.

Spy1's comment in the earlier "TrojDemo.exe" thread referenced by kareldjag is food for thought:
--------------------------------------------
IMO, no "vulnerability test" where one has to purposely and knowingly DROP a defense or "Allow" something that one wouldn't normally allow is valid - period. Because it's not a "real environment" test.
---------------------------------------------

regards,

-rich
________________
~~Be ALERT!!! ~~

[Chris12923]

Quote:

Originally Posted by Rmus

When you turn off AE to install a program and then turn AE back on, the program is auto-added to the database (whitelist).

regards,

-rich
________________
~~Be ALERT!!! ~~

Doesn't this mean you are dropping a defense? If you thought the program you were installing was a trusted app and you were unaware that the program was actually a trojan?

Thanks,

Chris

[Rmus]

Quote:

Originally Posted by Chris12923

Doesn't this mean you are dropping a defense? If you thought the program you were installing was a trusted app and you were unaware that the program was actually a trojan?

Thanks,

Chris

The "dropping a defense" comment by Spy1 was in reference to running a trojan test, where you have to permit the demo.exe file to run.

But your point is well taken with reference to the real world, where you have to permit a program to install - yes, you drop your defense.

As far as being unaware that a program was actually a trojan, I can only speak for myself that it's never happened and I don't worry about it. I'm just careful, as I indicated in a previous post.

regards,

-rich
________________
~~Be ALERT!!! ~~

Quote:

Originally Posted by Brian N

'Noobs' as you call them, buy security software too And I wouldn't be surprised if they were responsible for 95% of the profit for each company.

If every Internet user was an expert in security, some companies would never be as big as they are today.

So, if these non-standard tests are detected, it will strengthen the trust in the company, meaning: 'standard' people talk about it = 'standard' people buy it.

'Standard' people don't hang out here. 'Standard' people don't randomly run trojans tests they see. Anyone who is curious enough to do this by defintion doesn't fall into the 'standard' people group.

And these people should at least take the time to understand what they are doing, sadly if this thread and past posts on this forum is any evidence at all, they don't.

And if you do fall into the knowledgable group, your duty is to explain what is going on to the less knowledgable instead of going with the crowd , just to 'strengthen trust'.

As i wrote before, do you want antivirus vendors to spend time on something that provides real protection or do you want them to waste time on useless stuff? Do you want illusionary protection just to pass tests and fool the guilible and the naive?

Sure, the noobs don't get it, but that's what the so called "Experts" are here for. Pandering to the crowd is the last thing anyone should do.

Quote:

This does not include 'security oriented persons' because they simply know better, and has probably already tested numerous security software..

I'm not sure whether they know better. There's a group of people who just run tests, run software without any understanding, their aim is just to say they pass the test. The 'feel good' factor.

Quote:

I could be wrong though, I'm just telling my view on this

Of course, by invoking "it's just my view on it" defense you can't be wrong.
But it seems you don't have any good arguement to support why antiviruses should detect every harmless test that people come up with.