tron.zip Detection

Greetings all.

I downloaded tron.zip fron here: http://www.xxx.com/trojans/tools/remote/

URL refers to trojan download and has been altered for that reason - Forum Admin

The following is the brief description provided at this site:

I scanned tron.zip with TDS-3 and it detected nothing; however, when I unzipped tron.zip, TDS-3 positively identified tronserver.exe as "RAT.tron". Since I also have licenced versions of both Tauscan and Trojan Hunter (both are latest versions with data bases updated today), I scanned the unzipped file with them. Both Tauscan and Trojan Hunter failed to identify tronserver.exe as a trojan. Please feel free to draw your own conclusions.

This may seem picky; however, how come there was no detection of the zip file? tron.zip downloads to Windows/Temporary Internet Files. I scanned Temporary Internet files with zip files checked in TDS-3, and tron.zip went undetected. Obviously, I'm missing something.

 

You surely must be missing something.

So are you sure you have the latest Radius databases of over 14061 references now and all scan options --inhcluding the zipped-- checked?

 

Thanks Paul and Jooske!

You're right, of course. I'm still on a steep learning curve with TDS-3. I deleted the unzipped folder containing tronserver.exe and tron.zip from Windows/Temporary Internet files. When I then did a full system scan, TDS-3 made a positive identification (in archive) of tronserver.exe in C:\download\tron.zip. Good stuff. TDS-3 ... what a hunk of software!!!

Bob

 

I got the download for scanning it and like the screenshot above in Paul's posting.
I wonder if this is the same or equal tool as another "advertised" these days (potext), must read the advertisements better for better impressions.


And TDS is going to be even better.... she whispered respectfully...

 

A properly updated Trojan Hunter apparently does recognize it.

Take a look at this thread

I downloaded the compressed file, and both NAV and NOD32 not unexpectedly declared there was nothing wrong with it.

Being chicken, I didn't feel like experimenting with it in order to find out whether BOClean might detect it wehen it became active.
I did write to Kevin to inquire whether they knew about this one.
I'm sure it'll turn up in the forthcoming trojan definitions, though.
They're usually pretty fast.

I admit I'm tempted by TDS-3, although I am a little scared of being blinded by science when using it.  

 

Hi Paul,

I know about the AV's, but I just thought I'd try them on this trojan in order to find out what they'd say.

I'm happy using BOClean, but every now and then I think it would be nice to have a good on-demand scanner as well.

Mind you, not that I feel unprotected running these three apps.
I'm quite a prudent, run-of-the-mill computer user really, and I don't go looking for danger.
As a matter of fact, I can't even remember an occasion when BOClean had to jump in to save the day.

I just get your run of the mill Klez, Loveletter, Magistr thingies,  and nothing really exciting ever comes my way, I'm sorry to say (NOT?)...

But about TDS-3, even without using 90% of all the options, I take it you can hopefully just scan a file or scan a drive without having go through the entire user manual first?

And I also assume that TDS-3 users are entitled to a free upgrade to TDS-4 when it's issued.

If that's the case, I might well give it a try.

 

Just because it's got bells and whistles, you don't have to be musical....

 

Ha!  

And I just might feel like taking music lessons in the future, of course...

Meanwhile, about this trojan,  I mailed Kevin at BOClean support about it, and I got this response:

Needless to say, already covered in BOClean's update overnight ... I took a look at it myself. Heh. What a *LAMEASS* pile of ... ummm.

Doesn't even have an "explorer" so the kids can waft around the disk, a number of really poorly crafted "tools" and of course the obligatory "shut down a few firewalls" but unlike what we're seeing out there that really IS a threat, this one doesn't replace their screens with new ones inside the trojan so you never know your protection went poof on you. Nor does it have the "spot-killer" which repeatedly hammers away at any attempts to restart same (assuming it wasn't completely destroyed and all hooks to go back to the vendor's site and get fixed up again are gone and blocked below the winsock) ... in the greater scheme of things that we deal with day in and day out, this one's pretty pathetic.

But we covered it anyway like so many other pathetic toys. Thanks much for turning it in.  

 

Music from TDS?
Yes!
some scripting, at least you must have heard it singing "happy birthday to you" in one of the scripts, and yes, you can set up something to make it singing on your birthday. And you can use the jukebox script.
For the scanning was one easy configuration script as well, posted it even in one of the threads over here, i'm working on a HTML / vbs version to make it more easy and voice controlled, so what you know already to configure under the configuration tab, to put the sockets on automated and to configure the scan at wish with all you like to scan, including your whole network and your neighbors and people in the chatbox you're visiting, whatever you like and remote controlled from your wireless phone maybe if you like, yes it's all there, but not in that script
More explanations in the helpfile, which is a real interesting manual, with screenshots, explanation everywhere, and it seems to be growing all by itself, discovering more each time when searching something.

 

Dank je, Jooske (yes, that's right, yet another Dutchie here... )

Well, I've started by downloading the helpfile, and as soon as I've memorized that,  I'll fearlessly dive into the deep end, and maybe download a trial version.

I'll keep you posted!

Cheers,  Tony

 

Hey Tony,

You will not regret it; as you know I too run the excellent combo TDS-3 - BOClean (one for on-demand, one for resident).
(BTW: you were not the only one who sent it Kevin   )

Groetjes, Jan.

 

The helpfile is of so much more help with TDS if you can see what you're doing and hear, taste and sniff it and just do it
There are some screenshots in the manual.
Don't even pretent to ever learn it all by heart, as over 300 pages and a still growing number and all you can renew with the new version, etc etc. I just know where to find it if needed and i enjoy the new finds when digging again.
By that time, imagine, i'll have to renew several scripts and wave files, where it explains TDS-3 and "Welcome to TDS-3" etc etc etc
But by that time you'll wanting to be able to play "jingle bells" scripts you discovered by long you need a registered version for that, in the meantime discovering so many reasons why you don't even want to consider to be any single day without your most preferred and beloved program and the whole registered operators family with that, and the many more options a registered operator has..... or would you really like to study the TDS-4 manual first to hurt yourself any longer with all the gems and diamonds you don't have that moment?
Ahhh TDS............... what a gem !
Wished i could include some nice sexy TDS screenshot of some configuration or a trojan detection, whatever.
Pssst: some script includes my voice!

This was about tron, i remember, ok, TDS does detect it very well, as we see Paul's screenshot as well.

Lots of Fun with your TDS manual study! I prefer it digital.
Lof lof

 

Well, you guys almost managed to convince me already, I must say.

The promise of hearing Jooske's voice alone already makes me feel like rushing out and buying the product, skipping the trial version altogether!  

When is TDS-4 scheduled to be presented to the hungry masses?

If it's only a month or so, I might wait for the latest and greatest.

 

No reason to wait for that either, as we beta testing team are not in the stage of beta testing the whole product yet, nor do we really know details.
And: upgrading will be free of charge, so why wait?
I always love to play around and see the new toys included. Or maybe a whole reorganisation of all there is, extra tools, different ways........
You might like to look once you're there getting the TDS trial the WormGuard trial as well.
The registration doesn't cause new downloads, only including the keyfile which diamond key will unlock some former limitations to even more functionality, like the exec protection and being able to run all the scripts and other things Wayne might not have told us.
Take your time and have a nice look at it, as the trials are for free, even if you don't download them via my hop-clickbank URL which i don't post here <<wide grin>> just click www.tds.diamondcs.com.au and enjoy the real world of security the happy way.
Happy? Yes, because we are in the drivers seat and there's always nice family members in the passengers places around. That's what we have the TWO forums for, and not to forget the large educative manual and euhm.. TDS itself waking us up with friendly calling our name and some tips of the day, etc etc etc etc and whatever we have it doing beside the original included tasks via our own scripts!

 

Thanks Jooske,

I'll probably down TDS-3 in the course of this weekend.

I may even purchase it right away, as I'm convinced that if I'm to go for an on-demand anti-trojan, there's probably no need to look any further than TDS-3, with all its configurable bells and whistles.

As you see, I've become a believer already...

I'm interested in Worm Guard as well, but good grief, does one really need Nod32, NAV, BOClean, NIS, TDS-3 and Worm Guard.
And yes, I know it's a superior product, but what if I'm never going to get to use it because all my other stuff clobbers the occasional nasty first.

Let's start with TDS-3, and we'll see what we'll do after that.

Groetjes,   Ton

 

Hi again Ton,
NIS and WG 3 don't go well together, but v4 won't be a problem i guess/hope. We are promissed TDS and WG 4 will make of other developers green with envy and jobless, as well will be their products i might suppose with that.
Girls like diamonds, so i like to use all of their gems
http://www.diamondcs.com.au/web/img/diamond.gif     http://www.diamondcs.com.au/web/img/dcslogo.gif
and boys like girls, even more with diamonds, so a perfect combination, isn't it?
As we know the DCS gems are top of the security business we keep laughing and happy, discovering new abilities, even in our own scripting!
Leuk he?
Groetjes,
Jooske

 

Jooske,

Are there known issues with NIS and TDS-3 that you're aware of??

 

As far as NIS 1.0 is concerned: none.
With respect to the newer versions: AFAIK: no

 

Thanks!

I'm running NIS 4.0, but as I'd use TDS-3 strictly for on demand scanning,  I don't think anything much could happen that I wouldn't be able to correct by disabling NIS for a moment.

You can probably count on me being a frequent visitor to the TDS-3 board.

I can only advise everyone there to brace themselves for a lot of stupid questions...

 

Which of the TDS-3 boards Tony? This Only Official Public DCS / TDS Forum or the Registered Operators Only Private Forum.
I'm in both frequenting
You know, we love stupid questions, as the only stupid questions are the one's not asked at all, so we can all learn from them and from all the others which are asked even more all together!
Looking forward to learning lots more!

 

Ya stupid questions are good because they make us look smart when we know the answer. Smart questions are sometimes bad because they are often too hard to answer

 

This one, I guess, as it's the only one I'm aquainted with.

Besides, I "do" 2 Dutch and 5 American boards, and I'm not really looking to add any more to those (for the moment, that is... )

No prob: I'll try to avoid the smart ones, then...  

 

Tony, just for the record, at the time that I performed the scan with Trojan Hunter, TH was "properly" updated in the sense that all updates available at that time were installed. Magnus had yet to issue an update that allowed TH to detect tronserver.exe. By the way, IMHO Magnus is justly deserving of a hearty "atta boy" for releasing the update within two hours of the file's submission. As of now (well, about 5 minutes ago), Tauscan has yet to be updated to detect this trojan.

While I certainly understand why this action might be taken, it didn't seem out-of-line for me to provide the link. It appeared in the DSL Security Forum and, as of this moment, it still appears there unaltered. I used Tauscan for about two years before significantly upgrading my AT to TDS-3 and, in all that time, it never detected a single trojan on my system (unlike NAV in the case of viruses). Now it might appear that I'm bashing my own good fortune but not at all. Because it never detected a single trojan, there was always this lingering doubt in my mind as to whether it was effectively doing its job. Because I was able to download this trojan and watch TDS-3 detect it in short order (while others failed to do so at the same point in time), I am now convinced that TDS-3 is effectively doing its job. I now know that I made a worthwhile investment when I became a licenced TDS Operator. It was a realization that I wanted other TDS users to experience. In some ways, I wish that there was a test bed of trojans (modified so as to be rendered harmless if that's feasible) for this purpose. Regretably, if there is such a resource, I haven't been able to locate it. Regards.