is there a working tool to find out unknown trojans ?

Discussion in 'other anti-trojan software' started by mantra, Feb 24, 2012.

Thread Status:
Not open for further replies.
  1. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    Hi
    is there a working tool to find out unknown trojans ?

    i talking about trojans (not spread around internet) but coded by users and installed on some machine to take the control or spy the user

    i know for sure , that there are some trojans , not recognized by anti malware or firewall , created by users to spy the computer activity

    i know because i had a talk yesterday with an operator of ministry of interior

    he told me they are not recognized by the best firewall and malware software

    but there are software that can scan and find out them, he did not told me nothing about this software

    well i ' m not paranoid , and i'm not worried about police or secret service , but i 'm worried by a unknow user that can steal my credi card or password or other sensitive data


    i would appreciate every suggestions

    cheers
     
    Last edited: Feb 24, 2012
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    no need to be worried. it is unlikely any malware, let alone some secret agency one, will be installed if you follow usual security precautions often mentioned in these forums.
     
  3. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    thanks Cudni , by the way there are malware not spread around the net,codec to spy a specific machine

    but is there a port scanner or some tool that let me know if there is some unknown malware(keylogger, remote acess and so on) , just for some test

    i have only nod4 and Malwarebytes Anti-Malware
    cheers
     
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
  5. kdcdq

    kdcdq Registered Member

    Joined:
    Apr 19, 2002
    Posts:
    815
    Location:
    A Non-Sh*thole State
    I agree with Wilders' member 'fax' 100% on this one. :thumb:

    BUT, just in case the suspected trojans could possiblly be detected, I would scan your machine with Hitman Pro, Malwarebytes Anti-Malware free, and SuperAntiSpyware free. Just my $.02 worth.....;)
     
  6. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    hi
    if i may about what?
    use
    ?


    or run Comodo Cleaning Essential & Hitman Pro ?
    can these 2 programs scan only the running process via cloud?
    do they use md5 hash?

    Hitman pro doesn't scan all the memory ,i load many programs and it scanner few items

    thanks
    cheers
     
    Last edited: Feb 25, 2012
  7. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    thanks Fax

    about them , are 2 forums?
    do you think i need them ?
    or is enough comodo and hitman pro?

    cheers
     
  8. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Bleepingcomputer or Spywarehammer

    What is enough? To keep your system and applications fully updated and run a solid security tool. Keep it simple, master one tool and mind all pop-ups you receive. Setup a policy for your passwords and use a tool to manage them.

    Don't beleive all what you hear around you. Relax, sit back and happy surfing.
     
  9. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    thanks Fax

    may i ask only 1 question ?
    about Hitman Pro 3.5 and Comodo Cleaning Essentials
    is there a true portable version of Hitman Pro ?
    Comodo Cleaning Essentials in the homepage is declared to be portable , but i don't think stealth

    thanks again Fax , about the 2 programs only because it could be useful have them in the stick pen

    cheers
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    You may want to check in the specific "support hitman pro" thread at Wilders. A quick search in that thread resulted in:

    More questions should be posted there...
     
  11. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    thanks
    and about comodo?
    do you use it, is full portable?
     
    Last edited: Feb 25, 2012
  12. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Sorry to break it to you, but no antivirus scanner is going to help you detect a custom piece of malware that an organization has targeted against you. These scanners are signature based, and until a piece of malware has spread around a lot, the makers of scanners will not get an opportunity to make a signature.
     
  13. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    thanks
    i agree
    but is there a port scanner ? or a software that let me have full control ?
    in short something to detect manually a possible malware
     
  14. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    Well, I'll try to run down some methods.

    A port scanner would probably not help. Because everyone uses NAT, malware is coded to call out rather than be called into. So there won't be any open ports except for during actual communications, which may be for just a few seconds per day.

    If the malware has rootkit functionality like file or registry hiding, it might make it easier to find. There are rootkit scanners that are pretty good or they can take a file and registry listing with your full system up and another one with your drive on its own and look for differences. Because of this, malware may choose to hide in plain site.

    A piece malware hiding in plain site and not using a trivial method for getting execution (run key or startup folder) is extremely hard to find on a desktop OS. Without some clues about what to look for, its unlikely you will find it. Especially if it doesn't do any thing to let you know something is wrong.
     
  15. Chiron

    Chiron Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    174
    Hello, I wrote an article specifically meant to be able to tell if your computer is infected by malware even if it hasn't yet been analyzed by any vendor.

    Please read How to Know If Your Computer Is Infected and let me know if you have any questions.

    Thanks.
     
  16. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    wow
    i'm starting to read
    it will take a while to understand
    but look very . interesting, would be very useful, helpful have it in pdf too

    thanksssss
    cheers
     
  17. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Daily life risk assessment

    Because it is a fact of daily life it could happen to me, but what are the odds?


    Risk aware - insider

    Because it is well possible, it could happen to me, but what are the odds when I am not in the target group?


    Paranoid - enthousiast

    Because 'they' say it is possible, it could happen to me, how can I protect myself against this risk?


    When in paranoid mode there is plenty to worry about
    1. Malware found in digitally signed software
    2. SMS Trojans packed with legitimate android games
    3. Backdoors found in US military chips developed in China (so all owners of iphones and ipads are screwed because they are build in China also :D ).

    No real protection against man in the browser? Oh boy are you screwed, all these mallware, trojans, backdoor options and you are still banking with confidence? When seriously in doubt, have a look at regrun reanimator (my personal preference anti-trojan) and avz antiviral toolkit (my pesonal preference anti-rootkit), HitmanPro and Mbam.

    :argh: :argh: :argh:
     
    Last edited: May 30, 2012
  18. tuatara

    tuatara Registered Member

    Joined:
    Apr 7, 2004
    Posts:
    777
    This is not longer the case, but it was true in the early days of antivirus software. Most antivirus programs also use heuristics,
    which are Behaviour scans.

    A good example is HitManPro which has build his it's software on this concept, but does a lot more.

    They write:
    "SurfRight has done an extensive research of malware files to determine the common characteristics (behaviour) of malware. The Hitman Pro client uses this research in its Behavioural Scan" see: http://www.surfright.nl/en

    Most AV's use active and passive heuristics. see: http://kb.eset.com/esetkb/index?page=content&id=SOLN127&cat=MAL&actp=LIST

    A quick look at Gmer , see: http://www.gmer.net/

    Will show you that:
    It scans for:
    hidden processes
    hidden threads
    hidden modules
    hidden services
    hidden files
    hidden disk sectors (MBR)
    hidden Alternate Data Streams
    hidden registry keys
    drivers hooking SSDT
    drivers hooking IDT
    drivers hooking IRP calls
    inline hooks


    With the number of new malwares a day, it is no longer possible
    to just add these one by one to a virus definition database.
    If they did, it will have outgrown your OS by now :)

    Most AV's are more advanced and complicated then this.
    For example most of them will trick the malware to start in their AV virtual environment,
    so that the malware 'thinks' it runs in the real OS, just to find out what it tries to do after it starts.
    But of course malware builders, know this, and build malware that will not start in a virtual environment etc.

    But badkins79 has a point that there is no AV with 100% detection yet.

    Another thing is, you can perhaps scan for unwanted software, but adding hardware to your pc, like a hardware keylogger
    or sniffing it's connection can also be done..
     
    Last edited: Jun 11, 2012
  19. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Learn how trojans infect, and then it's just a matter of looking for them. A trojan is just a program running like any other - the difficulty in finding them relates to how well they are stealthed.


    Simple method:
    Simplest tool is MSCONFIG, which will find simple trojans that are set to run in the standard registry keys. Similarly, Windows task manager will find simple trojans that are already running, and in Windows 7 you can also view the command line which is useful for things like DLLs.
    Weakness: Many trojans will pretend to be normal system processes, or if there is a rootkit then they won't appear at all. MSCONFIG only shows a small selection of autorun registry points, and doesn't look at the browser.

    Slightly more sophisticated:
    More sophisticated would be using something like SYSINTERNALS AUTORUNS to see all the autorun locations; and something like PROCESS EXPLORER to see what is running. They include methods to check the digital signature of files
    Weakness: Digital signatures can be false. If there is a rootkit then the malware will be hidden - running AUTORUNS offline may help (e.g. from a bootable CD).


    There are dedicated forums for helping people find unknown malware, and they'll use various tools including DDS & OTL to look at many system settings.

    Most of the really nasty stuff will be a rootkit. There are various methods of concealing the rootkit - replacing system drivers, infecting the boot sector, hidden partitions, even infecting the motherboard (mainly to continually infect the boot sector of the HDD). Some tools (e.g. GMER) will help you find an active rootkit while Windows is running, using various clever methods.

    Other offline methods involve checking and comparing the checksum of system drivers to see if they differ from known values; or checking the MBR to see if it standard; using standard tools to check for hidden partitions. A bit of basic computer knowledge helps, e.g. knowing that branded computers come with non-standard MBRs, and hidden partitions may be a recovery partition.


    Once you actually find something that you think is a trojan - then there are sites that'll test the program to see what it does, e.g. http://anubis.iseclab.org/. You can also check it at VirusTotal to see if it matches the heuristics of any AV.
     
  20. PeZzy

    PeZzy Registered Member

    Joined:
    Apr 2, 2011
    Posts:
    56
    Just want to point out that Malwarebytes does not scan hidden partitions which is a common place for sophisticated Trojans to hide their goods. The "pro" version is useful for website blocking and prevention.

    One on-demand scanner that analyzes hidden partitions is Hitman Pro.

    The best prevention is to keep updating Windows, all Adobe software and Java.
     
  21. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    I would like to emphasize that I intentionally use out of date java and acrobat on my malware hunting machine. It makes it a snap to capture the really nasty stuff.
     
  22. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    I would imagine if such a tool existed then it would be incorparated into the majority of anti virus products out there.
    Regards.
     
  23. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    440
    Location:
    romania
    you should try trojan remover. it doesn`t alot of trojans, it detects the damage and modifications a trojan did to your files...it`s a simple scanner but it`s a "must have" tool for me.
    http://www.simplysup.com/
     
  24. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    We have several algorithms in TrojanHunter to detect unknown new and altered trojans. For example, we have code that alerts on certain known malware packers). We also check the compiled code for markers typical of malware. These detections will be prefixed with "Generic" and alerts you to a possible new or unknown piece of malware.
     
  25. phalanaxus

    phalanaxus Registered Member

    Joined:
    Jan 19, 2011
    Posts:
    509
    Searching for code markers of typical malware (heuristic analysis) and searching for malware packers (results in a good number of false positives generally) have been available in most of the security products for a long time. What's Trojan Hunter's take on these points that makes it special ?

    Low level scanners like DDS,OTM,etc. do better in case of detection of unknown or new threats compared to conventional solutions imo.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.