Understanding the Potential of Static DLL Injection

Discussion in 'other anti-trojan software' started by ------, Sep 22, 2004.

Thread Status:
Not open for further replies.
  1. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    okay, I remember I've gotten this advice before, so I'll better shut up now. Don't know when I will get the time to dig for a trojan dll to do the test (and to read all the stuff you've pointed me too already) - probably not before TDS-4 is out :D :D

    Have a good time all of you,
    Andreas
     
  2. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493

    This is among the reason why I don't use one trojan scanner exclusively. Right now, I use the two that I believe cover each others weaknesses the best. I really enjoy reading your articles because you point out the weakness in each product BUT only after there is a alternate product that covers the weaknesses is out, so you don't give anyone any bad ideas.

    We actually need more ipeople putting out information on subjects like this because it forces AV/AT companies to improve their products and not get lazy, like Microsoft got lazy because they wanted to promote "features" and did not want to fix the actual holes in their product (many of which they knew existed) but did not think people would actually exploit because it was only "theoretical". I only believe the malware problem is going to get worse in the near future. I believe people will eventually try to implement some of the attacks described. I would like protection from the "real world" attacks as well as the "theoretical".

    I used to wonder why all these AV/AT companies would so promote their products and then I would go around different forums on the internet and find people with viruses, worms, trojans while using those same products that were promoted as "the Answer" to everything. Granted, some of this was because of the user (i.e. not updating their software, turning off their protection, etc.) but there are more than a few instances of people running fully updated, properly configured AV/AT software and still getting infected.

    I don't believe that there is anything that can protect against everything (i.e. the stupidity of the user) but I believe that AV/AT companies will have to start getting ahead of the curve instead of always being behind.

    I do give it to DCS, though. I believe Process Guard is a good step in that direction. I really like PG v3. It is much more stable than version 2. I think this will be almost a essential product for protection against rootkits and dynamic DLL trojans. Most of the other alternatives to PG are either a lot more incomplete at this time or far, far more complicated and requires too much time to learn to use properly.....at least for me.

    Right now, I am looking at a few behavior based protections also. Things like PREVX, Desktop Armor, and pcInternet Patrol. Does anyone know of any more of this type of behavior based software available for the home?



    Starrob
     
    Last edited: Sep 23, 2004
  3. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    same for me

    dito

    prevx is Ok on my machine together with processguard and kerio which I prefer more at this moment then op.

    pc internet patrol I tried but not anymore cause of prevx and pg.
     
  4. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    This is a interesting article about home users are starting to be targetted more than Corporations and how scanners are not the solution to the problem:

    http://www.vnunet.com/news/1158338

    Here ia a quote from the article:

    "While antivirus protection is still strong it's not going to cut it all the way," said Gullotto.

    "In five years we'll see more success from behaviour-blocking analysis than we do, and this will be integrated into future technology."

    I believe programs like PREVX will become more and more common.



    Starrob
     
  5. erikguy

    erikguy Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    236
    Location:
    Salem, OR
    Unfortunately for the informed and properly protected user programs like Prevx seem to bring up more false positives than anything. Don't get me wrong, I believe Prevx is a great product but I also believe there is another perhaps better approach that can be taken into consideration. Good stuff though, definitely a good read.
     
  6. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I just found this article on the internet:

    http://www.nai.com/common/media/vil/pdf/imuttik_VB_ conf_2000.pdf


    I think it was written sometime in 2000 but I think it is interesting reading to get a very basic understanding of a virus/trojan scanner.

    I read a lot of different forums and I read a lot of people throwing around terms like "heuristics", "generic emulation", "checksumming" etc. and most times with only a few exceptions I feel the people using those terms don't really know what they mean.

    This article gave me a basic understanding why some scanners are faster than others. It also gave me a very, very basic understanding on why there is such things like false positives and the different trade-offs that AV/AT companies have to think about when buiilding a scanner.

    It also made me realize that when people "demand" certain features in a scanner....they may not realize it might come at the expense of losing other capabilities.......that is unless the programmer is extremely intelligent and finds different ways to gain better features without losing the effectiveness of other features.

    I also find that many end users want new versions of products very quickly and can't understand why there are delays. All over many different forums there are people asking when this product is coming out and when that one is coming out. I am beginning to realize now that it does take time to find work arounds for different things and make the scanner more effective without making the scans take a very long time.

    Everyone wants faster scanners that can detect more and more things and this pulls many software developers in competing directions. I know I get very demanding with what I like in certain products but I do want to say that I appreciate those software developers taking the time to satisfy all the competing demands of us end-users.

    I know that the detection of static DLL's must be a very difficult one to solve. Of course a scanner could be built to detect most of them but it would most likely be very slow if it had to checksum every single DLL a program uses.

    I think the problem of dynamic DLL injection is for the most part solved with Process Guard. What innovative ways that AV/AT companies come up with to solve static DLL injection should be interesting.


    Starrob
     
    Last edited: Sep 26, 2004
  7. dannyboy 950

    dannyboy 950 Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    50
    Personally I think if these guys quit takeing pot shots at one anuther and got together and colaborated they would develope the malware product of all time.

    I have used A Squared and ewido since their inception and find they do complement each other.
    Each writer seems to have an understanding of areas that the others lack a little in.

    I have also trialed each of DCS's products and found them quite good also.

    I realise I am not a security guru as the others just a common user.
     
  8. AJohn

    AJohn Registered Member

    Joined:
    Sep 29, 2004
    Posts:
    935
    Good article, nice read and too much argument :p
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.