An old article about TDS not detecting some trojan variants

Discussion in 'Trojan Defence Suite' started by gottadoit, Nov 16, 2004.

Thread Status:
Not open for further replies.
  1. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Hi,

    I just ran across this article and just wanted to check that the information is well out of date...
    [Please note I am *not* looking to criticise DCS and/or TDS, I quite like TDS3]

    I imagine that this would have come to DCS's attention a long time ago and have been corrected but it doesn't hurt to check

    Before anyone passes comment on the fact that ProcessGuard 3.x will stop DLL injection attacks, I already know and am using it
    This question is about TDS-3 detecting the problem once it has happened

    Article is
    Wolves In Sheep's Clothing: Malicious DLLs Injected Into Trusted Host Applications
    http://home.arcor.de/scheinsicherheit/dll.htm

    I did a forum search for dll.htm and arcor and didn't get any hits so figured I would ask the question

    From the article (which is worth a read even if it may be dated), at the bottom of the page it has "10 August 2003"
    Thanks
     
  2. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I think DCS is most likely very aware of the issues raised in that article. It is just a guess of mine but I think TDS-4 is being designed with many of those issues in mind.




    Starrob
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Look at the separate APM tool designed for that purpose.
    TDS has unpackers; in the private forum we've been informed how to add additional unpackers if we want.
    TDS-4 .. no doubt about that.
     
  4. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Jookse,
    Can you give me a pointer to the thread in the TDS private forum so I can read it please. I don't tend to use the private forum because most things are better said in public ones (even though I do have a login..)

    I'm not sure why you mentioned APM ?
    I have looked at it, but what is "its purpose" in the context of this question?

    Thanks
     
    Last edited: Nov 17, 2004
  5. "TDS has unpackers"..tds has no unpacking engine, it use just unpacker tools from web sites. If i would post here a link to these site, someone will delete the post cause on this kind of "programmer´s tools" site you will find also packers you can use to make a malware undetect (for tds). At the moment there is only one anti-trojan scanner which is able to unpack many exe file packers without using these unpack tools from these "evil" sites written by anonymous programmers and that is ewido security suite.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    As the original article is old, you won't mind to look into older threads in the DiamondCS forum. One where APM is mentioned in relation to injection is this one http://www.diamondcs.com.au/forum/showthread.php?t=1694&highlight=injection apm
    and there are several threads in relation to injection and TrojanHunter and lots with ProcessGuard.
    Just type "injection" in the search engine and you see lots of threads or postings with it.
    Same with "unpackers".
     
    Last edited: Nov 17, 2004
  7. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Ok thanks, I've read through the private forums a bit now and seen what has been said

    From what I've seen so far, I'm glad I've got process guard 3.x installed
    Some of the links led me to other sites like r*kit and that was an eye opener

    It was interesting to see a tool there (VICE) specifically to help people find processes that use hooks and report on them in order to encourage others to "do it properly"... sigh

    Something new discovered, so it wasn't a total waste of time

    My understanding of what I've read is that TDS 3 is adequate for the task and that it does now perform some unpacking

    I'll wait for TDS 4 and its new and creative ways ...
     
  8. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    TDS-3 was good in it's day and it is still good now but it is reaching the end of it's life cycle. Hopefully TDS-4 will be with us soon. DCS has a history of innovating and I would expect that many of the issues that people are starting to worry about will be taken care of in a even better manner.


    Starrob


     
Thread Status:
Not open for further replies.