c:\TDS3\xdynamic\TDS.Unpk

Discussion in 'Trojan Defence Suite' started by controler, Jul 7, 2002.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    Here is another wierd situation.
    Anytime you run a full scan with TDS and TDS runs accross an infected file, Norton kicks out it's warning Splash screen.
    I have attached my Norton Activity log
    The wierd thing is, if I look in that folder with Windows explorer,
    I only see two files (antikeylogger and fixsirc.com

    wasssubi with that?

    See attached text file


    [year-old attachment deleted by admin]
     
  2. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    Hi Controler.

    The folder xDynamic\TDS.Unpk on this computer is empty.

    I would seek the advice of either Wayne or Gavin with this. If I had the files you're saying are in that folder, then I would guess that NAV is seeing a false alarm... However, since that folder on my box is empty ~~ I really don't know what to say.

    My suggestion is to e-mail DCS and watch this thread for a reply from them.

    Regards,
    Hilly.
     
  3. Pawthentic

    Pawthentic Registered Member

    Joined:
    Jul 6, 2002
    Posts:
    40
    Looking through the entire text you posted, I'd say all those files belong to Sub7. Have you intentionally downloaded S7 to play with it?

    Is your Windows Explorer set to show all files? Are the files there, but hidden?

    Regards,
    Hilly.
     
  4. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    What is your OS?

    Maybe NT, 2000 or XP?

    Ciao,

    Smokey
     
  5. FanJ

    FanJ Guest

    Hi,

    When you do a search in the Helpfile for xDynamic, you see info of which I quote here some:

    [hr]

    Unpack Compressed EXEs

    Trojans are often compressed with an executable compressor (or "packer") before being sent to a victim. Executable compressors such as UPX (by Markus F.X.J. Oberhumer and Laszlo Molnar) typically compress a file down to a size that's usually around 25% of the original size (depending on the original composition of the file), and in doing so the file literally becomes a different program with a completely different composition to the original. Signatures used to detect the file based on the original uncompressed file will not work on the compressed file, and this is one of the main techniques used by hackers to sneak trojans under the scope of anti-trojan detection systems.


    TDS's intensive memory scanning means that even if a compressed trojan is executed, the compression of the original file won't affect detection in memory. However, it's even better to detect a trojan before it can load into memory, and this is extremely difficult when executable compressors are involved, but TDS meets this challenge in build 3.1.0 with the introduction of extended unpacker support.

    With extended unpacker support, TDS will keep an eye open for packer signatures that it knows of (as defined in \Ext.Unpk\unpack.cfg). Upon detection of a packer signature, TDS will make a temporary copy of the file in it's \xDynamic\TDS.Unpk\ directory and invoke the assigned decompression utility to unpack the file. If successful, the unpacked file will then be scanned. The file is deleted from \xDynamic\TDS.Unpk\ immediately afterwards.


    TDS-3 ships with UPX onboard for decompression support. More trojans are compressed with UPX than any other packer due to the speed, ease of use, and tiny output size that UPX generates - not to mention that UPX is 100% free, and open-source. You can add your own support for other decompressors by modifying \Ext.Unpk\unpack.cfg, as seen here:

    [hr]

    Let's look at this sentence:
    "The file is deleted from \xDynamic\TDS.Unpk\ immediately afterwards."
    I have noticed that this is not completely true.
    How do I know? I use a program called ADinf32 Pro. That program is able to show you whether there was a change in any file (or new added or deleted). (BTW: you can compare ADinf32 with NISFileCheck, for which we have a special forum on this board).
    What I have seen is that sometimes the file watchdog.exe (which belongs to RegRun, a fully clean program) is in that directory, and some time later it is deleted from there automatically.
    Why that file is not "immediately deleted afterwards", I don't know.
    But as far as I am concerned, I don't worry about it.

    Another remark:
    If I understood Controler right, then he is doing a Full System Scan with TDS-3 while NAV is running in the background. Well, I myself do a Full System Scan with TDS-3 after I do a full system scan with one of my AV's, and while doing a Full System Scan with TDS-3 I temporarily disable my resident AV.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    And if you do now another scan, but uncheck the "zip/rar archives" and maybe the "compressed executables" too, and see what you get then.
    What you describe sounds very logical to me, but i want to make sure i'm right first.
    For your own security you might like to store your "toys for joy" (or test zoo) on diskettes / cdwr outside the system, btw.
    So you have NAV resident, and of course it jumps up when one of it's alerts is touched.
    In that folder the files are examined and put inside out, upside down, unpacked, and checked all code, and the files you posted are nasties anyway, so be glad TDS and NAV both agree about that! It was worse if one of them did not!
    (i suppose you updated both programs to the ultimate).
    Normally one scans with only one AV/AT at a time, but i never had any problems with one together with TDS.
    But i don't run NAV, so........
    If you don't have NAV resident, one might suppose no alarms like these when you scan with TDS.
    Further you might like either to store the nasties outside or at least zipped on your system or on a separate partition.
    This zipped/rar-ed was what i meant for you to try with those one or two scan options unchecked, so you would only get the live trojans/worms with TDS scan and if NAV (in case resident) would then popup you have maybe a problem.
    So you can now test several different situations and i guess i'm right.

    Please keep us informed.
     
  7. controler

    controler Guest

    Hi all

    Sorry it took so long to get back, I was out fishing :D

    Yes that is exactly what is going on. TDS-3 created a backup of my nasties and didn't delete it.
    I learned something new again today. I didn't know TDS made the copy and Only when TDS is trying to do it's thing with the files does Norton kick on.
    I know I know Jooske , controler should keeps his nastgies on another media. Athough if I had done that , I would not have learned about the Backup TDS makes ;)
    There should have been more than just SubSeven too.
    I knew I shouldn't be infected sine I didn't install any of those.
    Jooske ? as you know I have sent some good files to TDS support and
    in most cases, when I do that I get a FREE copy he he
    These guys are a tough bunch to budge
     
  8. FanJ

    FanJ Guest

    Hi Controler,

    You said: "TDS-3 created a backup of my nasties and didn't delete it."
    I shouldn't call it exactly a backup, but that TDS-3 "unpacked" it there ;)
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    It's not exactly a backup Controler, it is a temporary copy which is unpacked and tested and deleted normally almost immediately after. Why in your case a few are kept there, i don't know. In my registered version that folder is empty.
    This part is all described in the help-manual: TDS console > Help > TDS Helpfile. Alternatively have the Genie helpfile.exe running somewhere on your system and call "Help!" so the helpfile will be opened all voice controlled. (Part of the CokeMachine, downloadable in the private forum and running as a SS3 script only in registered versions)

    Many users sent so many samples and nasties: we are paid with references against them in the databases and lots of new tools to play with, free updates for registered operators, two official forums to play around, life long support, a whole DCS family and lots of education, joy, real 100% recycled electrons without any artificial preservatives, wishlists fulfilled, and a central tool for our system... is there more? o yeah, lots of security and with the next version to be expected many others jobless..... not bad for keeping each other updated....
     
  10. controler

    controler Guest

    Ok ok you sold me :D
    Besides all the knowledge I gain from comming here
    is worth it all.. and hanging with such a cool bunch :oops:
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hmm and i didn't even post my hop via Jooske to click for TDS link. :p
    People here are mainly very nice and knowledgeable and if not, they get it by frequenting this space, sharing their knowledge and insights. For sure in the forums one gets the quickest education i've ever experienced.
    And TDS taught us security can be lots of fun as well.
    Meeting nice people and several possibilities to keep in touch (broadcast, connect, etc) via TDS.
    Some day it will even block flu and voice viruses.
     
Thread Status:
Not open for further replies.