-- Teaser: Why size doesn't matter! --

@Paul

"Suggesting Andreas Clementi and his tests are financially influenced is a serious issue. I sincerely do hope you can back this up. If not: it's in effect slander."

Not at all. You just incorrectly interpreted my statement. I did not say that they get bribed or something. However, they want to directly or indirectly earn money with their tests and/or their (future) IT-related work. This is not bad per se. Howeover, it should be noted that we are completely independent. We do not look for a job in the IT sector. We do not want to get paid for our tests etc. We do not have any financial interests. That may or may not compensate for our anonymity.

"Let's get this straight: you are putting the blame on me because of the fact I commented unasked in a thread on our own board? This is getting ridicolous..."

Again: you are so self-centered! Just because someone asks a question in YOUR forum you are not asked to repy unless you have something meaningful to say. It's simply not necessary that you comment each and everything. Of course, you can still do it because this is YOUR forum. However, such comments are redundant.


"Rubbish. In your first post you posted - removed shortly after - a screen shot especially targetted at TH/TrojanHunter. No further comment needed."

Wrong. Again, you try to conceal the truth. We also posted a screenshot targeted at Ewido. Did they also ask you to remove it?

 

@Paul

In consider most of your comments irrelevant. Everyone can make up his own mind (at least if s/he reads the uncensored thread at our forum).

However, one comment is important to me:

"As for your statement in regard to Andreas Clementi: I merely did read what you have stated, no more and no less. Even the slightly mellowed comment I've quoted comes at least close to slander - unless you back it up."

I did not say anything bad about Andreas Clementi. I merely made a distinction between professional testers and us. AFAIK, Andreas Clementi has previously performed internal tests for AV/AT developers. Now he wants to establish an independent review business like A. Marx. Nothing bad about this. But both testers want to earn money by working in the IT sector. That's why they can't afford to be as radical as us. If all AV/AT developers jointly bashed Andreas M. or Andreas C. they would be out of business. By contrast, we a greyhats/underdogs who have nothing to lose.

 

In principle, I am also finished.

However, I can't refrain from posting one more comment:

"That's your perogative no doubt - as it is Magnus Mischel's Eugene Kaspersky's, Wayne Langlois, Kevin McaLeavey's etc. etc.
What happens over on your own niche is none of our concern."

You constantly indicate that you have received private emails from the above-mentioned persons and that such persons condemn our activities.

Actually, I consider it likely that this is indeed the case. However, since several AV/AT developers (including some of the above-mentioned persons) have also confirmed in writing to me that it is generally good what we do I do not consider this a serious issue. Most if not all AV/AT developers will do everything to conceal the flaws of their software. This is because it's generally easier to deny/conceal a flaw than to fix it. After all, AV/AT developers are predominantly interested in their own profits. Security is only a secondary objective.

 

I have to say it has been very entertaining reading this thread here. It's always good to be a spectator at a bun fight, especially when the protagonists take such a dislike to each other and are quite unable to behave with decorum.

Now...

1. Disregard all the talk of what's legal and what's not. Its' simply irrelevant. Of those who make claims one way or another, none of you have the slightest idea. You are not lawyers, and definitely not lawyers with specific knowledge of the subject matter. You do, however profess to know more than they do. The only time legal matters are of any importance whatsoever is if one or more parties involved actually take legal action. And this forum is quite irrelevant in that respect.

2. Disregard the personal animosity that has grown between the Scheinsicherheit representative and Paul Wilders. Paul in particular seems blissfully unaware of the inherent contradiction in much of what he has written (especially when he claims not to seek to insult, while at the same time plainly attempting to do just that with his written words).

3. Disregard the Scheinsicherheit representative's insistance on anonymity as being any kind of factor in his/her (well, it seems clear that he is a he, rather than a her, but I will will remain PC in this respect) credibility. If he/she goes ahead with the planned tests and publishes the results then each individual can then come to his/her own conclusion as to their validity and act accordingly.

4. Disregard Paul's attempts to discredit the poster (as he clearly does attempt to do): this only serves to diminish his own credibility. Let's be clear here: it is Paul who expressly permits anonymous postings to these forums, so for him to then berate a poster for protecting him/herself behind this expressly permitted opportunity is hardly an action rooted in reason.

As an aside: I am surprised by Magnus' involvement in this thread. I have great respect for Magnus and his product, but I am disappointed that he felt the need to involve himself to the extent that he did. No vendor can win a public argument such as this.

...What you are then left with is an offer from Scheinsicherheit which has been warmly received by a number of other posters. If you don't see this, then go ahead - make a copy of this thread's contents and remove all the dross. You will see that this is indeed the case. So go ahead, Scheinsicherheit ... perform your tests and then post the results for all to see.

 

@spm

"You are not lawyers,"

Not entirely correct.

"and definitely not lawyers with specific knowledge of the subject matter."

Probably correct.

"well, it seems clear that he is a he, rather than a her, but I will will remain PC in this respect"

Not entirely correct. There is not a single "Nautilus". "Nautilus" is the name of a project including male members and at least one female member. "---", however, is indeed male.

" I have great respect for Magnus and his product, but I am disappointed that he felt the need to involve himself to the extent that he did. No vendor can win a public argument such as this."

I already sent a private email to Magnus and told him that people will be disappointed and that he can't win this public argument. However, people should also bear in mind that it is VERY HARD for an AV/AT developer to properly react in a situation like this. You need to take into account that a scanner is the "baby" of the coder. The coder is spending MUCH time and will do everything to make the scanner as good as possible. It's very hard for a coder to accept that random strangers like us suddenly start to criticise their baby. That's why we should not condemn them if they get upset. They are just human beings.

" So go ahead, Scheinsicherheit ... perform your tests and then post the results for all to see."

Damn. It seems that we now really need to do some work ;-)

 

I'll stand corrected by those other than your person....but I believe the name Nautilus that others have been using throughout this thread is in reference to the Wilders Nautilus junior member ....not the nautilus project you are alluding to ?

 

I think this is the first nice thing said in this thread, thus far. btw is anyone else getting a head ache reading all this?

 

1.
I understand that Bubba does not want me to answer his question.

2.
There is a rather unfortunate development to report:

Magnus now presents his customers with two bad alternatives ( http://forum.misec.net/board/TrojanHunter;action=display;num=1107385909;start= ). Alternative A is to entirely remove the custom ruleset feature. Alternative B is not to do anything.

He quickly deleted alternative C (which was suggested by me). Fortunately, user Matt_Day had an idea similar to alternative C: "Would it be possible to say, not edit rules created by Misec (and therefore pleasing these people that the rules "cannot be viewed"), but still allowing users to create and edit their own?" I hope, Magnus will not also delete the post of Matt_Day.

So what is alternative C and what is it all about:

TH features two kind of rules. The old, weak file rules. Such file rules are visible to everyone and such file rules can be viewed, edited and added by the customer. By contrast, the new, code-based file rules are supposed to be stronger. Such new rules cannot be viewed, edited or added by the customer UNLESS the admin mode of Trojan Hunter is enabled.

In other words, there is generally no reason to remove the interface for the old file rules. Nobody has asked for such action. It is entirely sufficient that malicious people do not get access to the new file rules because this would facilitate the creation of modified malware that can't be detected by TH.

The problem is that the interface for the new file rules is CONTAINED in the public version of TH for no good reason. Note: the ordinary customer cannot use it because the interface is hidden. However, a hacker can enable the interface for the new file rules and then dump the entire signature database in order to create modified malware. Contrary to what Magnus says it is much easier to activitate the hidden interface for the new file rules than to crack a properly encrypted signature database which cannot be accessed by means of a hidden interface.

Our suggestion would be (i) NOT to remove the interface for the old file rules, (ii) to ENABLE and MAKE VISIBLE the interface for the new, safer file rules and (iii) to modify the interface for the new, safer file rules in such a way that only the creation of new file rules is possible (i.e., it should not be possible to view/dump the standard/default file rules created by Misec). If this suggestion is technically too difficult to implement the interface for the NEW (not the old) file rules should be entirely removed from the TH public builds. Such removal of the interface for the NEW file rules would mean absolutely no change to TH's customers because the interface is presently hidden.

In principle, it makes no sense to me that Magnus asks whether the interface for the old file rules should be deleted. Nobody is talking about the old file rules. (I could only imagine that the interface for the old file rules is somehow connected to the hidden interface for the new file rules and, therefore, Magnus faces technical difficulties to merely remove the hidden interface for the new file rules from public builds. However, such technical difficulties would need to be solved.)

 

ADDENDUM:

There is one possibility why alternative C may not be a good alternative. It is possible that the way of signature creation under the new file rule system is flawed. (We have not analyzed this yet.) In such case, it would be no good idea to enable the hidden interface for the new file rules because it will allow hackers to exploit the flaws pertained to the signature creation method.

In such case, it would be better to entirely remove the hidden interface for the new file rules from the public builds (as a preliminary measure) and, subsequently, create a better, safer way of signature creation.

 

I believe that it may indeed be illegal to patch a computer program (even if you have not reverse engineered such program).

Within the European Community the Council Directive 91/250/EEC of 14 May 1991 on the legal protection of computer programs ( http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&type_doc=Directive&an_doc=1991&nu_doc=0250&lg=EN ) has been implemented by numerous member states:

Pursuant to Article 4(b) of such Directive any alteration of a computer program generally requires authorization.

--------------
"Article 4 Restricted Acts

Subject to the provisions of Articles 5 and 6, the exclusive rights of the rightholder within the meaning of Article 2, shall include the right to do or to authorize:

(a) the permanent or temporary reproduction of a computer program by any means and in any form, in part or in whole. Insofar as loading, displaying, running, transmision or storage of the computer program necessitate such reproduction, such acts shall be subject to authorization by the rightholder;
(b) the translation, adaptation, arrangement and any other alteration of a computer program and the reproduction of the results thereof, without prejudice to the rights of the person who alters the program;"
------------------

The application of a patch may be considered an alteration of the computer program although it is argued, for example, that only alterations of the source code (and not minimal modifications of the binary code) are covered.

Moreover, it may well be the case that none of the exceptions from the authorization requirement applies. For instance, Article 5 of the Directive provides:

------------
"Article 5 Exceptions to the restricted acts
1. In the absence of specific contractual provisions, the acts referred to in Article 4 (a) and (b) shall not require authorization by the rightholder where they are necessary for the use of the computer program by the lawful acquirer in accordance with its intended purpose, including for error correction.
...
3. The person having a right to use a copy of a computer program shall be entitled, without the authorization of the rightholder, to observe, study or test the functioning of the program in order to determine the ideas and principles which underlie any element of the program if he does so while performing any of the acts of loading, displaying, running, transmitting or storing the program which he is entitled to do."
-------------

In the present case, it is doubtful whether the application of the Admin Patch serves the purpose of error correction. On the one hand, the hidden Admin Mode is a security risk which should be fixed. If you do not apply the Admin Patch you cannot prove that such security risk exists and the developer will not react until its too late. On the other hand, the actual fix can only be performed by the developer. This is because all public versions must be fixed in order to resolve the problem.

I think the dilemma is that the language of the statutory law is too tight and, therefore, it may not be possible to inform the public about security flaws. This would be quite unfortunate: "To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realized that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site, then Ford could file a complaint against me," (see http://news.com.com/Researcher+faces+jail+for+finding+bugs/2100-7348_3-5531586.html , cited by LowWaterMark).

If it were actually true that the language of the legal statutes must be narrowly interpreted this would be another example for the detrimental effects of the current copyright law which does not provide for a fair balance between consumers and rightholders.

 

Yes, I noticed that, too. Rang quite true and indicated a little more compassionate understanding of the people and personalities they were dealing with than had hitherto been revealed - maturity even, for God's sake.

And then I read post #62 and thought to myself - "Wow, that really makes sense! Why doesn't Magnus just do that?". Whereupon I read #63 and thought "OMG. I hope that's not the case and not the reason why he doesn't want to do that."

Anyway, I hope if the discussed issue is a bona-fide vulnerability in TH, that Magnus will do whatever it takes to correct it. I certainly don't fault him for having a (supposed) weakness/vulnerability in his program - nobody's perfect.

But I would have to wonder about it if he didn't want to admit to the fact that something (or maybe everything related to his old and new file rules interface) needed to be re-written from the ground up to make the program better/safer/more immune to attack for his users'.

After all - that's what it's all about, isn't it? Pete

 

Well I must say that this has been an interesting read. No matter the feeling expressed here one way or another.

They were things said by both sides that made sense. But my feeling is it's time for the Testers to test the programs and post results.

I agree with spy1 that as the tread went on there seem to be more of an understanding. Maybe it was a good thing that this tread continued as it did give everyone a chance to AIR things out. Maybe both sides learned something I can only hope.

To Paul a thank u for reopening this tread.

Grand Dad

 

Nautilus thank you for clearing things up in my earlier post.

I wonder though if any sort of reverse engineering or patching is going to take place in your test. If so, what advantage would this give in testing over your previous method of testing which involved modifying the malware?

 

@rerun2

I have already stated that we did no reverse engineer TH or any other scanner. Consequently, no reverse engineering will or has taken place in the course of the test.

You can turn on the TH admin mode either with the help of a patch or manually with a hex editor by making a minor alteration of the program. The respective knowledge probably results from reverse engineering (not performed by us). It may be illegal to alter the TH program (see above). Therefore, we will reconsider to apply the patch. If we do not apply the patch or comment on TH's method of signature creation the significance of the test results will be lower than it could be.

If people want us to provide test results of greater significance they should ask Magnus to expressly allow us the use of the patch (for test purposes only).

 

dont do it Magnus !!!!


thats one of the best features in trojan hunter, i really hope that it will stay

as for the test, i'll comment it when its finished


a hint for ntl:
test spyware/hijackers too
also test removal mechanisms
infect with CWS NS3 and check who removes

 

@illukka

This will be a signature quality evaluation series only. We will only do spot checks. The completion of the test will take us several weeks.

Spyware and trojan removal needs to be covered by another test. Our capacities are severely limited.

 

it seems to me that nowadays its mostly spyware/hijackers that are added to signatures
for every new rat theres a couple of new spywares
i suppose it will be relatively easy to find a weak spot in every scanner, an old zoo trojan for example..
i'd be more concerned if there are flaws in the signatures of some major trojans

 

We will not test signature quantity (i.e, test whether rare zoo trojans are detected) but signature quality. We will use popular and rare trojans in order to determine whether the signature quality differs depending on the spread of the trojan (e.g., it might be possible that an AV/AT developer uses more sigs or hand-picked, high-quality sigs for popular trojans).

We will not test the quality of the signatures used for the detection of replicating malware like virii, worms and widely spread spyware. This would not make sense. High-quality sigs are only required for the detection of non-replicating malware which is frequently modified, customized etc. That's why we always say that a scanner that perfoms bad in our tests may still be a good scanner for replicating malware. If you are interested in the detection of replicating malware you can read the tests of Andreas Clementi. We do not believe that we would be able to significantly improve such tests.

 

that would be only a logical thing to do( for a trojan analyst)
the web is full of buggy'n'crappy (mostly vb)trojans which no-one will ever use to infect anyone(probably not even the author... ROFL ).. why waste time and energy in getting a superb detection/multiple signatures of such a major threat? those are nice to have in a collection though

because
there are also some very popular trojans which have lots of different versions/variants, and most importantly users.. who use just that favourite rat to infect people..

thats just my opinion of course..

 

"all rule creation buttons in advanced mode are no longer part of TH 4.2"
(from this thread: http://forum.misec.net/board/TrojanHunter/1108891502 ).

Looks like "_ _ _" was right. Pete