Trojans and Trojan Scanners

Discussion in 'other anti-trojan software' started by Scott, Mar 22, 2002.

Thread Status:
Not open for further replies.
  1. Scott

    Scott Guest

    This is question is probably going to send most of you onto to the floor laughing with the need for air but here goes.... Could Someone Please Tell me how one actually gets a trojan on their computer. Email attachments? Just plain Surfing the net?  clicking on links? Opening downloaded software... Currently Im running a antivirus program and ive read plenty posts about also running a trojan scanner, but how do i know i need one. Where do these nasty trojans come from? Basically what determines whether or not i really need to get a trojan program. Also if i do need to get one could the ones responding to this message give me their top 3 picks for programs

    Thanks
    Scott
     
  2. Nancy_McAleavey

    Nancy_McAleavey Expert Member

    Joined:
    Feb 10, 2002
    Posts:
    244
    Location:
    Voorheesville, NY, USA
    Hi Scott,

    Your question is somewhat like the inevitable "tell me about yourself...", how trojans are delivered is complex.  I'll try and hit up some of the more common methods that we've seen or had reported to us over the past years since we first released BOClean.

    Probably the most memorable was the Netbus trojan, wrapped in "Pie Bill Gates".  The trojan was wrapped in a BillGates- (just after  the infamous Brussels "Pie Incident") whack a mole game- pie theme.  Irresitible to many, all got a copy of Netbus, one of the first trojans to emerge, in the bargain.  Trojans are still wrapped in some free software and assorted "goodies". Always know where your freeware came from, go to the source if possible, this will help to *reduce* the possibilty of getting a trojan.  Some unscrupulous authors use free software to distribute trojans.

    Trojans have also come wrapped in graphics....still a popular method to this day.  For your protection on the front line, always (if you use OE) be *absoletely certain* that you have "Preview Mode" turned  OFF anytime you go to get mail.  If there is anything wrapped in any attachment, the preview mode will enable it to execute while you view the thumbnail.

    Sometimes it's a simple as a file attachment that doesn't "seem to do anything", and is gone in a flash.  I had a customer who had a trojan loader (some of the newest, most sophisticated trojans use a separate loader program that can run in the background while "stealing" some bits to download a large, complex program that includes firewall/AV stoppers, callout routines to alert the "perp" that it's connected, and more....) installed in this fashion.  Another best practice is to watch for files with more than one extension (I use Eudora mail as it's easily suited for this)and just *lose them* without EVER opening them.

    There is an exploit called EXE2HTML that allows an executable (all trojans are, taken to their bare bones, executable server software) to be attached and downloaded within a webpage.  See:

    http://www.nsclean.com/psc-exe2.html

    for more details.  We also have freeware (trojan free, natch!) that addresses this exploit in particular.

    So that's the tip of the iceberg, some of the most common techniques used to get these nasties on a system.  Get yourself an AT, too, it'll pay for itself in peace of mind even if you never seea trojan on your system itself! :)
     
  3. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    Hi Scott,

    the risk of getting infected with a trojan is nearly the same as getting infected with a virus. In any case a piece of software has to be executed. This software come all kind of sources you already mentioned in your post.

    The easiest way to find out if you need extra trojan protection is you name the anti virus software you use and I give you some advice.

    For anti trojan programs please visit http://www.wilders.org

    There is a big overview on anti trojan software including links and ratings.

    wizard
     
  4. Scott

    Scott Guest

    Nod32 Antivirus, I have already checked out the programs and ratings you refer to at wilders and also have read some other posts at different sites.
       Im i to assume that all trojans come from programs you may download from the internet then install, activating their nasty stuff? or attachments that are run by clicking on them. So if i dont open attachments and dont download alot of programs or only download well known software and install them there is no reason for a trojan scanner?
      Also im a little confused as to how some anti-trojan programs work. Im under the impression from what ive read that one should have a trojan program that detects the trojan before it is activated, (Theres a couple words for this but cant remeber what it is). Like my pop3 scanner it alerts me to a virus in my mail before i do anything that i shouldnt. So i need a trojan scanner that scans downloaded files and will alert me to a downloaded trojan? How do i know what  programs catch trojans before something gets activated (like my pop3scanner) and what trojan programs are just scanners that you would use on a daily basis to check to see if something has happened? Im currently looking at or trying Boclean,Tds,Trojan Hunter,Ants, Trojan Remover, if you have any other recommendations or recommendations on these let me know.
      Also another question, arent firewalls (or atleast some) suppose to stop trojan attacks, seems as though some are listing protection from trojan programs in their specs, and when i do scans for my firewall at pcflank it says im safe from trojans. So if they are suppose to stop trojan attacks then why do i need a trojan program?
     I guess im just trying to figure out where a trojan program actually comes from(software and attachments) but not from just surfing the net?, so i would actually have to download something in order to get hit by a trojan?. Like my parents computer if i tell them not to download any software or open attachments they would not need a trojan program?.
       One last question where do i find this at to check it?.
    Sorry i rambled on for so long with all the questions and thanks for your help.

    Scott
     
  5. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    A lot of questions. :) Okay first of all you should check your security settings of your browser. I would suggest to put all options to "ask" or disable things like ActiveX and ActiveScripting. The pages that require such options you can put to trusted site list if you think these pages are trustworthy sites.

    This will prevent you in most cases that a suspicious web site automatic installs a trojan in your system.
    The other two option are email or downloading software. As always you reduce the risk of getting infected if you do not open email attachments and download software from untrusted sites.

    Anti trojan software works a little bit different from anti virus software. AT software does not scan emails or downloads. At the moment there are two ways for trojan detection. The first one is used by TDS-3 and scans each executable file before you start it. The second method which is used by Trojan Hunter or BOClean is that the process memory is scaned after the execution of a file.

    I think the three anti trojans program you mentioned can be put in three categories: BOClean is the one which is the easiest to use. TDS-3 is more for advanced users but offers a lot of features. Trojan Hunter is something between both. So the decision depends on what you want.

    It is very often said that firewalls protect from trojans. This is a little bit untrue. A firewall can not tell you this program is a trojan. I only reports that a program wants access to the internet. So the decision is up to you to identify it as a trojan or not. Do you really know if iexplorer.exe wants to access the internet that this is a trojan or your webbrowser? Also there are some techniques already developed that a trojan may not be catched by a firewall.

    wizard
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Scott - Welcome!

    In Outlook Express, click on 'View', then 'Layout' and make sure 'Show Preview Pane' is not checked (if it is, click in the box to un-check it, then click 'Apply').

    Also (still in OE), click Tools/Options/'Read' tab and make sure 'Automatically download message when viewing in the Preview pane' is not checked.

    Then go to the 'Security' tab on that same screen and make sure that 'Restricted sites zone (more secure)' radio button is selected.

    You have got to make sure you click 'Apply' after making any changes.

    Also note that you should review all the settings in the 'Restricted' sites Zone for IE - every single one of them should be locked down by having either 'Disable', 'Prompt' or 'High' as their settings (Tools/Internet Options/'Security' tab/click on 'Restricted Sites' icon, then on 'Custom Level' - make sure you 'Okay' and/or 'Apply' after all changes there, too).

    IMO, you  

    need a separate anti-trojan program running on-access (in SYSTRAY).

    It all comes down to specialization - AV's catch virii, AT's catch trojans, your firewall monitors transmissions in and out of your computer - let each specific program  do what it does best. Pete
     
Thread Status:
Not open for further replies.