An old article about TDS not detecting some trojan variants

Hi,

I just ran across this article and just wanted to check that the information is well out of date...
[Please note I am *not* looking to criticise DCS and/or TDS, I quite like TDS3]

I imagine that this would have come to DCS's attention a long time ago and have been corrected but it doesn't hurt to check

Before anyone passes comment on the fact that ProcessGuard 3.x will stop DLL injection attacks, I already know and am using it
This question is about TDS-3 detecting the problem once it has happened

Article is
Wolves In Sheep's Clothing: Malicious DLLs Injected Into Trusted Host Applications
http://home.arcor.de/scheinsicherheit/dll.htm

I did a forum search for dll.htm and arcor and didn't get any hits so figured I would ask the question

From the article (which is worth a read even if it may be dated), at the bottom of the page it has "10 August 2003"

Thanks

 

I think DCS is most likely very aware of the issues raised in that article. It is just a guess of mine but I think TDS-4 is being designed with many of those issues in mind.




Starrob

 

Look at the separate APM tool designed for that purpose.
TDS has unpackers; in the private forum we've been informed how to add additional unpackers if we want.
TDS-4 .. no doubt about that.

 

Jookse,
Can you give me a pointer to the thread in the TDS private forum so I can read it please. I don't tend to use the private forum because most things are better said in public ones (even though I do have a login..)

I'm not sure why you mentioned APM ?
I have looked at it, but what is "its purpose" in the context of this question?

Thanks

 

"TDS has unpackers"..tds has no unpacking engine, it use just unpacker tools from web sites. If i would post here a link to these site, someone will delete the post cause on this kind of "programmer´s tools" site you will find also packers you can use to make a malware undetect (for tds). At the moment there is only one anti-trojan scanner which is able to unpack many exe file packers without using these unpack tools from these "evil" sites written by anonymous programmers and that is ewido security suite.

 

As the original article is old, you won't mind to look into older threads in the DiamondCS forum. One where APM is mentioned in relation to injection is this one http://www.diamondcs.com.au/forum/showthread.php?t=1694&highlight=injection apm
and there are several threads in relation to injection and TrojanHunter and lots with ProcessGuard.
Just type "injection" in the search engine and you see lots of threads or postings with it.
Same with "unpackers".

 

Ok thanks, I've read through the private forums a bit now and seen what has been said

From what I've seen so far, I'm glad I've got process guard 3.x installed
Some of the links led me to other sites like r*kit and that was an eye opener

It was interesting to see a tool there (VICE) specifically to help people find processes that use hooks and report on them in order to encourage others to "do it properly"... sigh

Something new discovered, so it wasn't a total waste of time

My understanding of what I've read is that TDS 3 is adequate for the task and that it does now perform some unpacking

I'll wait for TDS 4 and its new and creative ways ...

 

TDS-3 was good in it's day and it is still good now but it is reaching the end of it's life cycle. Hopefully TDS-4 will be with us soon. DCS has a history of innovating and I would expect that many of the issues that people are starting to worry about will be taken care of in a even better manner.


Starrob