OK, I'm a Believer

Discussion in 'Trojan Defence Suite' started by Finn McCool, Mar 4, 2003.

Thread Status:
Not open for further replies.
  1. Finn McCool

    Finn McCool Registered Member

    Joined:
    Mar 3, 2003
    Posts:
    49
    Location:
    New Orleans
    I just downloaded TDS for evaluation and ran it. It found DDos.RAT in explorer.exe in my Windows folder. I was stunned. It must have been there for a long time, from back when I connected directly to my cable modem. I've used other programs to scan for trojans and none found this. I had noticed explorer.exe in my startup and thought that was odd, but MS often does things oddly.

    I checked my firewall and confirmed that I had blocked explorer.exe from calling out when it tried. At the time, I thought it was one of those many calls home that MS programs make, or try to make.

    So as soon as I get my tax return, I'm registering TDS. :D
     
  2. the Tester

    the Tester Registered Member

    Joined:
    Jul 28, 2002
    Posts:
    2,854
    Location:
    The Gateway to the Blue Hills,WI.
    Good for you!

    I hope that you enjoy TDS-3 as much as I do. ;)

    Just wait untill you run it some more.
    This program is really impressive with all the tools and utilities that DiamondCS has packed into it!

    You will find that support from DiamondCS and the TDS-3 operators is top notch also.
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi Finn,

    Can you zip and send me your explorer.exe ? gavin@diamondcs.com.au

    What OS do you have ?

    I advise that you download the latest databases for now, we have discovered a small bug with the trace scanner, which is very strange indeed. I have removed this detection, but don't worry, TDS detects the trojan in question in a number of other ways :)
     
  4. Blackman

    Blackman Registered Member

    Joined:
    Feb 28, 2003
    Posts:
    14
    Good for you dude! Congrats on getting rid of that... umm... Rat
     
  5. Finn McCool

    Finn McCool Registered Member

    Joined:
    Mar 3, 2003
    Posts:
    49
    Location:
    New Orleans
    Sorry, Gavin. I had TDS close the process and delete the file and I can't recover it.

    Windows XP Pro

    When I ran it immediately after installing, it found only the registry entry, listing it as DDos.RAT.Litmus. I downloaded the Radius database and overwrote the previous one, then ran TDS again. This time it alerted on both the registry entry and the file. :eek:
     
  6. linney

    linney Registered Member

    Joined:
    Feb 17, 2002
    Posts:
    174
    Gavin,

    Is this tied in with the bug you mention?

    Scan Control Dumped @ 21:28:07 05-03-03
    File Trace: Default trojan filename: DDoS.RAT.XTBot
    File: D:\WINDOWS\explorer.exe

    I immeadiately rechecked by Scanning just the Explorer.exe and also just Windows directory but could not get an alarm.

    Later I did a full scan and the alarm came back. Again I couldn't repeat it by selective scanning.

    Today I have the new Radius update and have not detected any alarms so far.
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi linney,

    The trace for this trojan was removed quickly and the update has been available for ~ 24 hours. TDS detects the trojan in question in a number of other ways, so not a huge loss of a detection method.

    What was happening was I added a trace for "EXPLORER.EXE " which has a space character on the end (ok not a space but a fake space) and when testing the trace scanner on my test machines, nothing was detected..

    So all should have been ok ? Obviously not, I am still trying to find the exact reason for the problem, we need to debug the trace engine.. and since we are rebuilding this for TDS-4 anyway, that is a good thing :)
     
  8. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,181
    Explorer.exe can make legitimate outbound connections to the Internet. It's fortunate that you happened to block it.
     
Thread Status:
Not open for further replies.