Andreas Haak-Ants anti-trojan project

You should note how many of the other modified variants were detected in a way such as this.. all except for the edited, unpacked variant - never seen a trojan user distribute a 1MB unpacked Bionet server

Positive identification <Adv>: RAT.Bionet 4.x

Editing to bypass the detection of this type would be past most trojan users, in fact I doubt any real world trojan user actually has any edited Bionet server that they use which would pass TDS detection after memory space and object scanning - perhaps even simple FILE scanning as above.

Please, lets stop bickering about finding ways to get around scanners. Surely ALL of them are bypassed if you work hard enough, but as I said before its the amount of effort that is needed that counts.

 

@Andreas..

I also strongly suggest it is a BAD idea coding anything that may help trojan writers. Noone needs you coding something which gives them ideas on how to make malicious software more malicious, more stealthy, more anything. Really.. think about that carefully, it gives a bad image to be coding malware even for demonstration purposes.

After all, aren't you supposed to be one of the good guys ?

In a way its just like protecting software from cracking, it is MUCH harder to protect than it is to break, so work harder on protecting against trojans rather than breaking users security please

This post is in no way meant to be offensive

Edit :

a) Execution Protection works on all Win32 platforms.
b) Nearly all memory space signatures include some code or other non editable bits so that only the most hardened trojan user (who could probably code his own trojan anyway) would edit it successfully. I may have a couple of them which are not "perfect" but they will be by tomorrow
c) Goodnight

 

>>Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
>>ile: c:\dokume~1\admini~1\desktop\scantest\bionet318ungepacktteniobhexedited.exe

>You should note how many of the other modified variants were detected in a way such as this..

Did you ever try to pack a microsoft file with a exe packer that is coded in delphi (for example ASPack)?

 

>there is no such thing as a (new) Ants.

No official one ).

 

>I also strongly suggest it is a BAD idea coding anything that may help trojan writers. Noone needs
>you coding something which gives them ideas on how to make malicious software more malicious,
>more stealthy, more anything. Really.. think about that carefully, it gives a bad image to be coding
>malware even for demonstration purposes.

It depends. I think we dissent. I think its ok to produce "malicious code" (by the way, what it malicious?). Its exactly the same as the leak tests you can find ´for firewalls. Its simply a leak test for anti malware software. What is wrong with that? If never told to implement any trojanous function.

>After all, aren't you supposed to be one of the good guys?

Where is the diffrence between a good and a bad boy in the "anti malware scene"? I think you won't find any. You do a lot of illegal stuff (reverse engineering - yes, trojans, viruses and so on are copyrighted software) for example ... so you must be a bad guy ;o).

>In a way its just like protecting software from cracking, it is MUCH harder to protect than it is to
>break, so work harder on protecting against trojans rather than breaking users security please

But what is wrong if you provide information about weaknesses to all users (including the vendor and the "bad boys")=

>This post is in no way meant to be offensive

My reply, too ).

 

Andreas People would like to have some input please

 

Andreas, I wont bother with any more of this argument. You should be doing something constructive

For the record, changing the strings Bionet to bi0net or ANYTHING else, as seen below, has NO effect on TDS detection of Bionet 3.18 - case closed.

Oh for the other record we don't reverse engineer commercial software, only malware. I think any court could throw out any claims of anything illegal in that. We didn't dissect TrojanHunter as someone eluded earlier, I found a paper online that someone else had written.

 

Well i must here answer because it says: "Good morning Gav" - Hehe yes good morning

 

Andreas - Put out your own program that does something better or faster than TDS and I'll believe you.

Until then, you're just wasting everyone's time. Pete