ACK Tunneling Trojans

Ah, didn't know you posted this.  I was just reading this a few moments ago and was about to post it here.  Anyhow.....

My assessment:  I only have one Win 2k box at home.  For the heck of it, I ran the server and the client on it.  ZAP prompted me after I executed the client, but not the server.  On my WinME box, ZAP prompted me on the server but then the server just died.

 

What is also interesting is that NOD32 AMON picked it up immediately, and TDS-3 did not with the 11373 references update.

 

Yeah I was quite impressed.  I'm very glad I went with NOD32.  

 

Paul? AckCmd is a relatively old demo (2000), it has been detected by TDS since its release -

Trojan Client\EditServer found: RAT.AckCmd 1.0 (Client)
 File: t:\analyse\ackcmd\ackcmdc.exe

Positive identification: RAT.AckCmd 1.0
 File: t:\analyse\ackcmd\ackcmds.exe

 

Wayne, I have execution protection enabled on my system and when I ran ackcmds.exe and ackcmdc.exe TDS-3 alert me.  Why did it not alert me if it is in the database?

 

Not too sure Zhen, I just tested it here and it worked fine. I've just switched you over from Senior Member to Beta Tester at the private DCS forum so you'll be able to access the Beta Test forum there now - feel free to try our new kernel-level execution hook vs AckCmd
There are some strange compatibility issues with the TDS3 execution hook as it uses several Microsoft components that unfortunately aren't friendly on all flavours of Windows at all times. It works fine for most people, but as we aren't in control of those Microsoft components we took the gamble to go into undocumented kernel territory to create our own hook. Mission now accomplished, but the general public won't be able to see it in action until the first release of TDS4/WG4.
 
As far as "ACK tunneling" goes, despite the age of Arne Vidstrom's report, ACKCmd is still the only demo or trojan that has ever used this technique so it's not something to lose sleep over, but I believe most firewall vendors addressed the issue back then when it was more of an issue, and it's more a firewall issue than an anti-trojan issue - the only thing making it different from any other trojan is how it sends packets on networks, and as such that side of it can only be handled by an IDS or firewall. As far as intercepting its execution before allowing it to execute, yes that's the job of anti-virus/anti-trojan software - execution protection, something which can't be handled by firewalls or IDS

Best,
Wayne

 

Thanks Wayne.. I'll jump into the beta forum tomorrow and try to run some tests.

 

I downloaded that file, NOD32 crawled all over it. At this point, TDS-3 can't get to it because NOD32 already locked it. Amon would't let me run it at all (caught it in the zip) so it doesn't really matter.

Regardless of which security program catches a file, it only needs to be caught once. It matters little to me which one it was. I am sure TDS-3 would have found it but I choose to try NOD32 first.

Point is, this ACK attack sh!t isn't likely to be successful on my machine, not with all this security stuff running.

 

Yes, there is only one location I have set that AMON doesn't monitor at all.  It is in the folder I place files like these for special testing.  On another machine, AMON tagged it immediately.  But on my protected directory machine, TDS-3 missed it.

I'll test later today using the beta.