TDS-3 vs. Polymorphic Trojans, case example

Donald Dick is a Russian-made remote access trojan, but it's perhaps the world's most polymorphic trojan at present. TDS-3 is the only anti-trojan scanner capable of detecting this trojan, and this is explained (with disassembly and other screenshots) at http://tds.diamondcs.com.au/index.php?page=polymorphictrojans
Best enjoyed with a coffee.

 

No Russian vodka?


Thanks Wayne, quite impressive and amazing: further your screenshots are very instructive, no need to wait shivering if we ever receive that one somehow to see it's actions on our systems!
Thanks for creating the instructive page for us, it serves curiosity too!

Must be early morning in Perth now, sleep well!

 

hey that is kinda cool so that what it look like

 

ll lmao you know what be cool if TDS 4 when it finds a nasty a pic would also show up with the nasty's profile lol

for example lol tds detects donald duck a pic of donald duck apears with the trojans bio and info lol

mug shot wanted lol lol lol

cage or put in to fireing range option lol

 

Donald Dick isn't even Polymorph.
It's the loader thats all.
Read the first 4096 bytes of this file, jump to the end and make a search for

B8 | 00 | 00 | 00 | 80 | 0F | BF | EA

backwards and combine this with a positive pattern (AND Pattern) of some bytes before ( C1 and 08 for instance )

 

I'm confused. Trojan Hunter lists Donald Dick 150, 153, 154, and 155 in its trojan definitions. Are these different from what you're talking about?

Douglas

 

lol are you sure lol quake quake

 

Ah yes and dont forget to add FF | FF | ?? | ?? | ?? | 0F as the last postive signature to avoid false posives

 

Zor Douglas, What I think Wayne was saying is that using set "definaitions" for polymorphics is not the way because they always change

Edit: Sorry Zor I refered to you & not douglas in this reply - Now corrected

 

THAT ALSO TRUE CAUSE YOU CAN MODIFIE THEM WITH HEX EDITOR OR SOMETHING RIGHT?

 

Very nicely done, a very good presentation, I am still holding out for TDS-4.

Best Regards
Vampirefo

 

Douglas, sorry but I'm not sure why Trojan Hunter would say it can detect these trojans because I can tell you now it can't. The servers change with every generation, and the techniques that TH uses cannot be used to detect this trojan so I'm assuming that one server was generated but not analysed to see that it's not static, and it was added using the same automated process as all other TH signatures, but Donald Dick _cannot_ be detected using standard methods like that so if that's the case it would be a useless signature that does nothing more than fool users into thinking they're protected (which is probably worse than no detection at all).

I'd encourage you to test for yourself - do a Google search to find the Donald Dick trojan, and then just run the 'ddsetup.exe' file that comes with it (as seen in the screenshot on our polymorphic page). Everytime you run this file, it creates a new, unique ddick.exe file. We've tested with all common anti-trojan scanners (using latest databases) and we'd encourage you to do the same, but TDS was the only one detecting any of the servers, all other anti-trojan scanners missed 100% of the servers.

But don't just take my word for it - test for yourself.

---

Zor, you're actually technically spot on - the word polymorphic is heavily abused these days, and although it often applies well to viruses, it really shouldn't apply to trojans as it's their server generator that is the base for the pseudo-random generation - not the actual trojan server itself, but today the term 'polymorphic trojan' is just generally and loosely used by many to define trojans that are different from one generation to the next. We'll add some extra text to the page to explain this more clearly.

 

BTW I think you meant C1 and 80 Xor

 

yes it was a typo - to many fingers on keyboard error, you know ?

 

"to many fingers on keyboard error, you know"
Translation for non-programmers ... "too much coffee, you know"

 

You miss the beer the DAMN BEER
But i am using the 4th coffecup in this night

 

Maybe mine isn't quite a messy as I thought!! I'll show that to my wife to fend off her duster

 

Wondered if others are referring to other versions of donald dick trojans, as there are several, think i saw an older report of 1999 but i don't recall the version number there. Could this explain the different views on detection and disarming?

 

There are several versions, but only 1.53.b and onwards use the SmartMorph polymorphic loader. The only versions other anti-trojan scanners can accurately detect are v1.52, the first variant of 1.53, and earlier. 1.53.b, 1.54, 1.55 etc can not be and are not detected by other anti-trojan scanners, so if you see them in their "detected trojans" list, they're just giving you a false sense of security - they cannot detect such trojans.

 

Wasnt TDS the one that detected my Zmist favriote nast in the world that kick but i love that awsome nasty

i wish i had money and found the real maker of it not the guy at nav that wrote about it but the actual guy

if i did the Mr.Blaze6666 would become a reality he he he
cleaning up the internet and makeing you all spell as bad as me with lol at every other word lol

 

Yeah, the older lists like on mcafee i don't recall to have seen any version number at all, only the message there are several versions and names.



Hey Blazey! Your sig is in the wrong forum: it's TDS here!
Have you seen the DCS shoppe? Go and get there, be the first hurryyyyyyyyyyyy!
http://www.cafeshops.com/diamondcs/
Get your TDS and DCS collectibles NOW!

 

ZMist is a virus family, using the "Mistfall" engine by Z0mbie.. not applicable for detection by any of our products.

I think I commented somewhere on the forum about this before. Very powerful virus engine.. but one striking weakness - pack any EXE and it is immunised against this virus The virus disassembles an EXE file, and inserts itself into the executable. The virus code actually becomes part of the file when reassembled.. a real headache for AV guys

 

McAfee can detect them, I made 32 servers McAfee had no problem detecting them, I used versions, 1.52, 1.53,1.54, 1.55, McAfee detects them all regardless of version.

 

Wondering if Wayne means something else we miss here?