Is positive detecton with full scan only that you need?

Discussion in 'other anti-trojan software' started by Firefighter, Sep 3, 2003.

Thread Status:
Not open for further replies.
  1. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    Hi everyone!

    As I have told elsewhere, I have got some trojans lately! I used Drweb 4.30 and TrojanHunter 3.6, but those files were still able to come to my puter.

    According to KAV and some of RAV, those trojan infections were:

    Count.class-42fad49f-2e7173e8.class | Infected: Trojan:Java/ClassLoader.A

    BlackBox.class | Infected: Trojan:Java/ClassLoader.C

    Dummy.class | Infected: Trojan.Java.ClassLoader.d

    Beyond.class | Infected: Trojan:Java/Needy

    Dummy.class-1012b178-7d88f275.class | Infected: Trojan.Java.Nocheat

    Afterwards I scanned those trojans with TDS 3 and McAfee Free Online Scan, but no positive detection. When I sent those trojans to DrWeb and RAV, they were able to detect them afterwards almost everybit.

    Because this Anti-Trojan stuff might be too heavy for me, can you say if that doesn't matter even your AT doesn't detect your trojan's with full scan, so far they are in the zipped WinRAR archive?

    Is it possible that TrojanHunter will catch those trojans when they are trying to fix to the memory?

    That editserver or everything like that is also too heavy for me, so you need not to tell anything about that!


    Best Regards,
    Firefighter!
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi FF, Did you mean TDS3 or TH?
    TDS3 will scan inside zip/rar archives.
    Have you used the latest radius file available from here:
    http://tds.diamondcs.com.au/index.php?page=update
    If TDS does not find the Trojans please submit the files too.
    submit@diamondcs.com.au

    Thanks Pilli
     
  3. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Pilli from Firefighter!

    TrojanHunter 3.6 also is able to scan zip, rar and upx-packed files.

    I made some new scans some days ago with TDS3 and TrojanHunter 3.6. Both programs were updated manually, but no positive detections.

    I sent those archived files on 27. August 2003 to RAV, Drweb and TrojanHunter tech support. After that RAV and DrWeb were capable to detect almost every bit, but TrojanHunter 3.6 remains the same -- nothing.

    I scanned those archives also with NOD32 and BitDefender Online Scan but nothing found. Panda Active scan found 4 Exploit/ByteVerify:ies in archive:

    1infected210803.zip

    and there in the files:

    [BlackBox.class]
    [VerifierBug.class]
    [Dummy.class]
    [Beyond.class]

    Three days ago I scanned those archives with BitDefender Free 7.1 and it was also capable to detect most of them, although I didn't sent any files to them yet.

    Yesterday I scanned those archives with Trend Micro HouseCall online scanner and the result was 3/5, quite good!

    I have done a full scan with TDS3 and TrojanHunter 3.6 in my PC, but only TrojanHunter 3.6 found one suspi-cious file with heuristics detection and no limitations. I sent that file to Kaspersky Lab and they said that it was some "Trojan.FlashKiller", which even my KAV 4.5 couldn't detect.

    According to KAV they couldn't add that trojan to their database, because after that the scanner is doing too many false positives --- strange to me! They do have a removing tool concerning that trojan, but after updating KAV, the remaining tool goes away.

    But after all this, the main question was that, is it possible that TrojanHunter or TDS are still capable to detect those trojans when they are going to fix in the memory after someone has opened those files?

    Best Regards,
    Firefighter!
     
  4. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Hi,

    These aren't trojans. They are exploits of the Java Virtual Machine. The problem here is that some virus scanner vendors will label most anything that isn't a virus a "trojan", causing confusion among users. The real fix is to make sure you are running an updated version of the Java VM that isn't vulnerable to these exploits.
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Quite so Magnus - and nice seeing you dropping by! ;)

    regards.

    paul
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Ah, That explains why Trojan scanners don't bother - More important fish to fry :D
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    When i find something strange i like to use the KAV online virus scanner, giving in a few seconds some reply, which in most cases is rather adequate and if they don't find nothing in it and another scanner would, i would send them the sample and wait for further results.
    www.avp.ru . scroll down the main page to the online virus scan and go ahead. It's updated several times a day, so a nice help-yourself desk :)
    But i also submit samples to submit@diamondcs.com.au where Gavin will decide what to add to the databases. So we all help to build on a secure internet for all.
    Of course i felt marvelous a few times recently with nasties found by TDS and that KAV online scan did not discover the nastiness in the files. By now it is and they were real baddies, no false positives or anything else.
    Did you see for instance the great collection of spybots variants from 1a to 1.3zz or thing like that, hundreds and more each day.
    So keep updating your software and a good scan each day keeps the nasties away!


    *Edited: seeing Pilli's post in the meantime, quoting a certain someone here: "Not malicious enough!" *
     
  8. microwave

    microwave Registered Member

    Joined:
    Aug 15, 2003
    Posts:
    6
    Mrs. Jooske,

    In order to keep the web safe for all, it's common practice to submit files to all software developpers in question - not just to merely one :rolleyes:

    mwave
     
  9. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    To Magnus Mischel from Firefighter!

    Thanks for that clarifying and sorry about those words when I said TH couldn't find those "infected" files!

    I am still a bit of confused now! Why for excample DrWeb, RAV and some others added those "trojans" to their database? I don't think that very "professional" attitude!

    And the last thing is that, I want to know again, is that necessary with TrojanHunter (or TDS 3) to have that trojan signature when someone is opening that infected file and it is going in to the memory?

    Best Regards,
    Firefighter!
     
  10. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    In my opinion, the virus scanners in question should rename detection to "Exploit.ByteVerifier" etc. instead of "Trojan". Some virus scanners will include detection for these kinds of threats, others will not. It's all a question of the resources necessary to add detection vs. the threat the exploit poses. TrojanHunter's primary goal is to scan for trojans. Adding detection for these sort of exploits that aren't trojans would slow down the scan and detecting them isn't TrojanHunter's primary objective.
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    KAV do call all these Exploit. as it should be :)

    Interesting question about both detections FF.. probably no, why if you have many methods and you can better target malware with one or two..
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    First is to ask confirmation from one specialist closest by in stead of starting noise for nothing in several cases.

    But feel free to post all developers submit sample addresses and the different ways they want them in (zipped, passwordprotected, other) so we can all use your list. Thanks in advance.
    I might risk spam accusitions and most of all if the thing is found innocent.
    What i get alarmed on is so seldom and hardly anything rare. Although, hehe there are some samples in which Gavin found the nasty tail with ease while other scanners didn't see nothing.

    KAV could have a nice collection tool if all samples tested online would be added to their collection, but that's up to them. (if known, delete, if tested innocent, add to temporary place and test deeper, if clean then delete, if nasty add to collection -- part might be able to be done automatically). Will they share it around to some central database system?
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Maybe the scanners should have some choices: a scan for all or scan for trojans/worms, exploits, js things, whatever separately. So once a week (?) one takes the whole long scan, and other times in between one uses some of the others during each day if that feels better, certainly if there is some resident protection available too.
    In fact we are doing this with using our resident protection up, the one time using a spyware scanner, the other time an AT scanner, another AV scanner, etc, so what's the difference, if we know some product(s) in our arsenal cover(s) what the other doesn't so we should be covering everything, wouldn't we? So we're using specialist products in stead of one collection of less then specialist in every area.
     
  14. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    submit a sample

    http://virusall.com/virussubmit.html

    Here is a good list to use.
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The AV industry runs on submissions, yet we lowly (?) AT authors receive very few submissions and have to find things ourselves. Not a huge problem for me, but there are samples that could be sent in ! So a big please, everyone send those suspicious files to the AT authors as well as AV ! :)
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK Gavin there is a new version of SARS in the post :eek: Only joking ;)
     
Thread Status:
Not open for further replies.