New Trojan Test

Blocked from downloading by Anti-Executable.

Then I gave it permission to download and run - the file executed successfully according to the text file created, and Kerio Firewall blocked the outbound connection to send to the web site.

-rich
________________
~~Be ALERT!!! ~~

 

Downloaded the antivirus disable test and the file was blocked from extracting.

-rich
________________
~~Be ALERT!!! ~~

 

I Failed

I'm using Trojan Hunter and Ewido and neither detected it )-:

 

Just out of curiousity I checked the Anti-virus attack and failed that as well.

I'm ready to give up )-:

 

Don't give up Maybe Ewido and Trojan hunter know this is just a simulated attack and do not include it in the defs. Although if it was an real active trojan then you could be in trouble. You should try Anti Malware or Viguard or any of the above programs that passed this test if you feel your security is lacking. Did your firewall detect it though?

Thanks,

Chris

 

FYI, I submitted all files to Ewido and all AV companies that I know of, informing them that these files are test files just like eicar and trojan simulator.

I'm guessing all of them would like to pass this test, so expect these files to be detected by most of them in the near future...

 

Good work Brian. Yes I am sure they all do want to pass. Wonder who will pass first...


Edited: Did I just sound like a schoolteacher? Sorry if I did.


Thanks,

Chris

 

Don't know, I haven't been in school for ages

 

TrojanHunter will not be detecting this as it is not a real trojan. The only entry in TrojanHunter's database used for testing purposes is for Trojan Simulator (http://www.misec.net/trojansimulator/), which is what you should use if you want to verify that TrojanHunter is operating properly.

 

Thanks for your time to communicate this Magnus.

Thanks,

Chris

 

NOD32 stops that one Flat!!

Cheers,

 

I tried Anti-Executable as Rmus uses and I find it to Invasive for what I need!!


Cheers,

 

You could try Viguard if you want (it blocks the trojan test as well as Trojan Hunters trojan simulator). You can use default rules and still be pretty secure. You can not use antivirus software with it though. Process Guard blocks it but does not block trojan simulator from what I remember. Not sure what else would detect them.

Thanks,

Chris

 

Seems to me that this test is not meant for antiviruses, as it's basically harmless, so whether it is added to a signature database or not is not citical.

Neither is it a test for firewalls, the notice, mentions that it doesnt attempt any firewall evasion.

I also don't think execution monitoring is being tested, at least the results I see, indicate PG fail.

The only way to beat this test appears to be monitoring of the specific area being changed (Prevx does this), or restriction of previlages of the test.exe.

 

The alert that I get from Viguard is that the program is trying to modify the executables.

Thanks,

Chris

 

Eicar and trojan simulator are harmless too, none the less they still are detected as 'test malware'.

 

one1111,

Can i suggest that you do as i have done and disable the following.

TELNET.EXE

FTP.EXE

You can very easily do this by doing a Windows Search on your C Drive for them. Once you have found them, right click on both of them and choose Rename. Very CAREFULLY left click after EXE and add OLD, ( TELNET.EXEOLD ) This is in case you ever need either of them again, so you can Rename them back exactly as they were. 99% of people don't have Any use for these, or lots of other stuff too !

You can also do the same with TASKMGR.EXE if you don't use it.

This might help enable you to pass the test.

. . .

Some interesting results being thrown up with this test by everyone.


StevieO

 

Thanks to all those who responded with solid advice and especially to Magnus
for clarifying the issue in regards to Trojan Hunter.

To Chris, yes my Firewall did detect it.

 

Eicar is an industry wise standard. Trojan stimulator is Magnu's baby and supposed to be the counterpart to Eicar, I'm not surprised TH detects it.

But I think all this is missing the point. Adding stock detection of such "malware" adds zero to your protection. Not unless the detection is more 'generic'.

 

Yes. Yes, that's a fair pass then. But as you said, it's not suprrise.

 

I agree - But a 'new/unknown' test should count as much as an 'industry standard' test - Even I could make an AV and detect eicar, but thats not the point.

If any test (standard or not) fails to be detected or stopped by a users program(s), it brings up some concern for the 'less experienced'. And also, these test files mimic the routine of a trojan/worm/virus .. whatever, so one would expect your defense programs to catch it (unless it's 100% signature based).

So to make this story short: Companies gain reputation and trust if they detect these non-standard test files, no matter how 'friendly' they are.

 

Not sure what you are arguing here. Any test that some guy comes up with does not automatically become a standard.

Are we talking about the issue or real protection or Public relations among noobs? I personally care about real protection, rather than image.

Yes, and unless someone corrects me, the detection put in by AVs if they borther is 100% signature based so no real protection is accrued.

I only expect the AV to catch malicious software. I rather they spend their time on that, rather than wasting time adding signatures for harmless tests, just so some noob can feel safe or boast that his AV passes a certain test.
Which seems to be your argument.

The time spent adding doing this can be spent more productively .

 

Hi,

The first goal of this trojan demonstrator tool is to show that data can be stolen.
Then blocking the executable or internet access is not the most interesting.
It would be more interesting if the SPY.txt is empty for instance.
I don't think that an arsenal is required against this test: Windows file permission or free tools like Trust-no-Exe can easily prevent such attack tools (see image).

I'm totally agree with Poll2 about AVs.
TrojanDemo is available since months and months, has been discussed earlier in this forum ( https://www.wilderssecurity.com/showthread.php?t=77696 ), and it's only at this automn that scanners actors and partisans are interested in...
Does it means that scanners come often too late?
If this test tool is in scanners signatures database, it's a good news.
Unfortunately, there's some trojans which use more advanced methods (API hooking in the browser, Man-in-the-Middle etc), and these trojans are not detected by any scanner (AT or AV).
That's a bad news.

Such trojans are really dangerous (can stole any data like ID bank account for instance) and are not proof-of-concept/demonstration tools as a scandal related it in Israel : http://www.pcworld.com/news/article/0,aid,121081,00.asp

(...)

For anyone who could be inerested, i attached process requests made at the beggining of trojan demo test.

Regards

 

Trust-no-exe block automatically unknown executable:

 

'Noobs' as you call them, buy security software too And I wouldn't be surprised if they were responsible for 95% of the profit for each company.

If every Internet user was an expert in security, some companies would never be as big as they are today.

So, if these non-standard tests are detected, it will strengthen the trust in the company, meaning: 'standard' people talk about it = 'standard' people buy it.

This does not include 'security oriented persons' because they simply know better, and has probably already tested numerous security software..


I could be wrong though, I'm just telling my view on this