TDS-3 vs. Polymorphic Trojans, case example

TrojanHunter can't detect Donald Dick, accurately, if at all, If I run the Trojan, TrojanHunter's port rule detects it, but then again that is just the default port, which could be changed.

TrojanHunter can't detect the Trojan, so if one changes the port, Donald Dick uses TrojanHunter would miss it all together.

 

Jooske,

Get me a picture of you wearing a TDS tee shirt and I will use it in the GAV forum as a signature. Promise

Regrads,
John

 

There are no pictures of me on internet except for my avatar and thus i'll keep it.
Might asp SnapDragin some day if she can change some pixels for me into DCS in my crystal ball
Was not asking for the drop bear or the roo yet.
But as Blazey made such a beauty for us with the most suitable captain of DCS euhmmmmmm see for yourself: this was made before the stuff shopped btw:
http://www.diamondcs.com.au/forum/showthread.php?s=&postid=13104#post13104

shoppe here
http://www.cafeshops.com/diamondcs/

 

KAV seems able to detect Donald Dicks up to 1.55, unsurprisingly.

 

I wonder if DCS was maybe the first, as they tested with all the known scanners, updated, and Wayne would never post to be the only one if their scanners in the lab from other brands would have detected them, might be such a thing i guess.

anyway: for us users the most important the nasties are disarmed to the last nasty bit asap! As KAV is among my favorites av/at as recommended extra opinion, i would not have expected (hoped) less

 

Well, the last I updated my KAV was 12.04. and Wayne posted this thread on the 16th. Then again, KAV isn't an anti-trojan, so...

 

Hi vampirefo,

Please try scanning with today's ruleset update. TrojanHunter should now detect all Donald Dick servers.

 

Thank you Magnus, in name of the whole cleaned internet community with yet another contribution to detection!
Always great to see people contributing and alerting others adequately.
Does it with detection also clean out? Or do users need to do things manually like deleting registry keys and clean out system restore, bins etc?
I remember the older versions' descriptions with some instructions this is why i ask.
Hope nobody will get infected in reality, btw!

 

Hi Jooske,

Thank you! I'm always happy to improve TrojanHunter detection, especially in this case. And yes, I believe everything should be taken care of when cleaning this one.

 

Thanks Magnus,

With todays update TH, was able to detect all Donald Dick servers, that I made.

Best Regards
Vampirefo

 

Now that xor/Michael has posted a method of detecting DD you'd think all anti-trojans could now detect it, but as of today only 2 do ... it remains an elusive trojan

 

>TDS-3 is the only anti-trojan scanner capable of detecting this trojan

Sure you detect any variant?

 

Hi Angelo, let's hope so! How many more variants are there in the meantime? Or am i now confusing versions with variants?
Did you try and successfully i hope, with your various tools?

 

Well ... i did a little test. I generated a little testset with 11.000 Donald Dick servers. Just executed 11.000 times the ddsetup.exe and copied the server into one directory.

After this I let GAV, TDS-3 and TrojanHunter scan the folder. Only TrojanHunter detected ANY veriant. GAV and TDS-3 missed 40 - 80 servers. I have no webspace available. So if someone has webspace just contact me at angelo.bachmayr@chello.at . I will send you the screenshoots and the tool that generates as many servers as you want automatically and i can post them here.

Wayne and Co:
Are you interested in the test set? I can upload them to a FTP server of your choice. Just write an email to angelo.bachmayr@chello.at .

 

Sounds interesting. It's ANZAC Day (a holiday) in Australia, so don't expect an answer before monday.
Thought you maybe found more variants after the 1.55.

 

I was just notified of this via SMS
Angelo we ended up creating over 4000 Donald Dick servers and were able to achieve 100% detection from that test set, Im surprised that your test set of 11000 was able to yield variants that weren't detected, but our detection technique is very specific (so as to avoid any false alarms), so it will be very easy to ensure detection of all 11,000 variants simply by relaxing the routine a little - essentially making it a little simpler. I've sent you an email - can you please send us the servers that _weren't_ detected and we'll re-vamp the detection routines on Monday.

Many thanks,
Wayne

 

>Don't hesitate to send me the stuff mentioned; webmaster@wilders.org .
>btw: talking unpacked newly generated servers here?

Yes unpacked ones . I did a rescan with the new database today but nothing has changed. 10934 of 11000 if i remember correctly.

I will do a rescan with TH and GAV with current updates and send them to you, admin.

BTW:
Is it possible that the "Notify on replies" does not work correctly?

 

The notifications should be sent to the email addy of your registration here, i get them properly of every thread i subscribed on, (big wish to have an option of notifications for all the threads in one forum!! so there would be no need to go through each thread individually)
but it can take minutes before i see the notifications in my mailbox.
I heard from another person not getting them, not sure why and if this was ever solved and how.

 

Ok ... i redid the test - now with 1000 ddick servers only. This are the results of TDS-3 ...

It detected 989 of 1000 ...

 

Now with GAV 3.5 ...

It detected 990 of 1000 ...

 

And last but not least Trojan Hunter 3.5 ...

It detected 1000 of 1000 ...