Andreas Haak-Ants anti-trojan project

I'm not aware of any restrictions or limitations for TDS functionallity in any windows version, or it would be specific NT/2000/XP functions like the NTFS streams and their detection which does not work in standard win98 and me (unless you use that special driver to read them anyway) or the exec protection not able to be installed in the evaluation version, only in the full licenced (registered) version.
What you might have heard could be for exec protection to be running TDS needs to be running.
People need proper configuration to have the speech parts working properly on XP and 2000, which is not specific for TDS btw, but as TDS uses it we give lots of support in that area too.

So for all extra information look in the DCS and TDS forums overhere, and once you're looking pay extra attention to the splendid ActionPack offer, still valid limited time.

BTW: did you notice today Gavin crossed the 21005 references thread? Applause! So much security for all of us!

For TDS or other DCS product specific questions please come over to the DCS forums, thanks!

 

Howdy Andreas !

I still use Ants 2.0 for scanning my all ports almost everyday, and it is a nice feature to check out what is going on on my puter too ! Thank You very much for a very good app

best regards *Ari*

 

Well, to this BioNet thing....
Nobody (who can make good signatures) takes TEXTPASSAGES in the signatur. That is crappy and easy to avoid detection.
I doub't that TDS has such signs inside.
A good Signature is binary code WHICH REMAINS even if the Source compiled again.
A ZeroByte before and after the Textpassage is b$.

Michael

 

Some of you might know the project "Scheinsicherheit". Its a project of 2 german "Vxern". They do a lot of software testing to show if a program hast strong signatures and is able to unpack several packer and crypter.

During the test (you will find it on http://members.lycos.co.uk/scheinsicherheit/tds.htm) they created a hexedit bionet server. The server has only one diffrence to the original. The string "bionet" that you can find several times inside the file was changed or ripped out. The result of the test:

"Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
File: c:\dokume~1\admini~1\desktop\scantest\bionet318ungepacktteniobhexedited.exe

*** Offenbar wählt TDS-3 zur signaturbasierten Erkennung den Namen des Trojaners. Deshalb kann der hexeditierte Bionet 3.18 nicht konkret identifiziert, sondern nur aufgrund sonstiger Analysemethoden als verdächtige Malware erkannt werden. ***"

translation:

"Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
File: c:\dokume~1\admini~1\desktop\scantest\bionet318ungepacktteniobhexedited.exe

*** Obiously TDS uses the name of the trojan for signature based detection. Thats why the hexedited Bionet 3.18 can't be identified correctly and is only found using other heuristic methods. ***"

But i thnk its enough ).

 

Is it THAT important HOW a nasty has been caught………
Dolf

 

Yes i think it is, cause its quite easy to fool the heuristic.

Most time it identify a trojan using import table scanning or generic signatures. If you store your strings encrypted (for example using a static xor) and use LoadLibrary and GetProcAddress instead of a static import it would be hard for TDS to find it using generic scanning.

And there is an other problem ... to clean malware correctly its neccessary to identify it correctly! Only one example:

Imagine you are infected with Sockets de Troie. Someone ripped out the references to "sockets de troie" so TDS won't catch it (I DOESN'T CHECK IF TDS USES A SIGNATURE THAT IS BASED ON THE TROJANS NAME - ITS JUST A THEORETICAL EXAMPLE). Sockets de Troie "infects" files (if i remember correctly it just attach the file to its end). TDS will find it with its heuristic and you can delete the suspicious file - and with the file the original file. I wish you a nice weekend you will need to reinstall and reconfigure your system if you haven't a backup ).

But by the way ... many antitrojan programms (including ANTS 2.x) and even virus scanner use references to the trojan name inside the server as signatures. KAV for example has a few (old) "weak" signatures.

 

How many ways are there be needed to be sure to catch a Trojan
And then, how many AT’s use all of them ??
And then, which AT comes closest ?
Dolf

 

Of course only ANTS

 

No - of course only gladiator ;o).

 

>How many ways are there be needed to be sure to catch a Trojan

I think you can't give a general answer. Nothing is 100 percent secure.

Only use open source products where you checked the source might be a way ;o).

>And then, how many AT’s use all of them ??

No one.

>And then, which AT comes closest ?

No one i think. Every program has his advantages and disadvantages. If i had to choose i would choose Trojan Hunter or TDS i think. But its still easy to fool them both.

 

Haven't heard of any examples yet (regarding TDS)
Dolf

 

there he is theres Andreas Newbys getttttttttt HIMMMMMMMMMMMMM!!!!!!!!!!!!!!!!


Where the heck is the new ants you promised new ants now i see you slacking off starting lame oh bickering.


grab the tar andd feather newbys and a big tall thing of coffe andreas is going to finish that new ants trojan av or else

 

yea what he said!! any word on the Ants Project Andre?

 

i bet you hea partying right now drinking ect ect

 

I would just like to add my comment about the reply Wayne gave in his defence of TDS during his return of fire against Andreas Haak. While I ‘m sure everyone likes to read a good slugging match between 2 software developers, it was the comment Wayne made at the end that caught my attention:

This comment was made after having just bisected TrojanHunter:

Now I didn’t realise that Magnus was in on this argument to deserve having his program put down. I’m a registered user of Trojan Hunter and Port Explorer so I have loyalties to both companies. I don’t think their can be many people out there, who are in the know about Trojans, who don’t rate TDS as “the best” at finding absolutely every type of Trojan in existence. If I happened to be the IT Security officer of a small or big company who might be the specific target of Hackers, that’s the one I’d use. But after saying that I chose Trojan Hunter for my home computer. Why? Because of its ease of use and the fact that I’m very confident that if a Trojan did accidentally mistaken my computer for something worth bothering about it would be detected. In fact I sometimes secretly hope that something will happen that will send my AV into a mild panic, or if that missed it, my AT might raise an alarm or if that missed it my Firewall might start jumping around the screen and if all that failed I’d notice red text appearing in (the excellent) Port Explorer. But in the last 10 years of home computing, I’ve only ever had 3 bounces off my AV. Maybe I’m just lucky. But as wizard stated, probably at least 90% of home computers don’t even have AV protection so I must be a security nerd. So too round up. Their will always be a home for TDS with its totally anti user friendly interface (Maybe V4 will change this?) but with an arsenal of advanced features that will delight any IT guru. As equally their will be a home for Trojan Hunter, with user friendliness jumping out from all over it, and which in all likeliness will protect your computer should your AV fail.

 

ReGen

Welcome

You are very lucky to only have been hit three times in ten years.
There are some posters that get hit three times a day.
I am in contact with a few state agencies and I Will tell you this, They get hit hard as every new virus hits the market. NONE of them have any Antitrojan software what soever. That scares me. Most are still using Windows 95 for christs sake. The System Admins are too damn lazy to even update the DEF's on each node. Actually this sort of
thing really bothers me. To top all this off, These same agencies are losing funds to be more secure. These High paid IT so called professionals are slacking off and are getting away with it. Too busy downloading MPS i am guessing since the world today wants YOUNG IT people and not older people. It is a published fact that the corporate world seeks young IT "Professionals"
I for one don't see anything wrong with a "good slugging match"
as long as the match is carried out fairly and with the intent on producing the very best APPS possible.

DING DING DING Round 4

 

Well.... Does it matter WHO develops a AV/AT program ?
I think not - each program has up and downs - that's the fact.
And i am really bored with this upcoming AT war.
During the time to "defend" the own program at other boards the person/company could take this time and improve the program.
Of course some statements must be given if something is wrong - i think everybody understands this. I make mistakes and everybody else too. There is no problem with this - we are all humans.
But some people should learn how to trade mistakes and downs.
There is always a way to say "Hey, i think it's not a good idea how it works" - but it depends on HOW YOU SAY IT
It can be a very important hint to improve the software (or fixing some problems) and it can be pain in the ass - if the comments are rude and arrogant - nobody helps the last part.
There is for each one a "market place" - you just have to found the right corner.
There are big corners, small corners, dirty corners and difficult corners - try to find the right corner

Michael

 

Regen, Andreas himself introduced Trojan Hunter into the discussion and that comment is what Wayne responded to. (Perhaps you also missed a bit of a kerfluffle between Magnus and Wayne perhaps a year ago or so, I don't recall specifically, about whose AT had what capacities, if I recall correctly. So perhaps that is a bit of background which may or may not be a factor.)

Trojan Hunter is relatively new on the scene (compared to TDS for example), and I believe the Wilders site itself notes that it does not (yet) have as many trojans in the db as some of the other more established AT's. So that's a fair comment, IMO, and Magnus has been working on improving his product since he first introduced it.

I don't relish a tussle between developers but I do want to know when claims are made for or against a product if those claims are true or not. Just because I pay for a product doesn't mean that I owe allegiance and loyalty to it. It's the marketplace. The developers owe me performance for which I pay. So I just want to know if the product does what it's supposed to or not.

Unfortunately usually these public haggles IMO don't resolve that issue for the nontechnical users. If someone makes a claim against the efficacy of another's product let them follow up and show that to be true. And, as Michael notes, it should be done in a manner that serves the consumers (and perhaps also the developers) of AT products. Otherwise it too frequently appears to be just an occasion for taking shots at others' products, while spreading smoke and fog among consumers and potential consumers. That serves no one well IMO.

 

Sig, Gladiator, I agree with your comments, the only point that I really meant to get across was that for all the fighting that goes on between different developers about whose product is the absolute best, that anything is better than nothing (well nearly!).
Some people will require the best of the best (In ability) no matter what the down sides are, in order to maintain security. But for the likes of myself – Using DUN for a few hours a day – I chose Trojan Hunter and would have been equally well protected I’m sure with any of a dozen others. (Though TH was an informed decision!)

I’m sure in the long run that a small amount of well founded creative criticism between developers will push the market forward and can only help benefit the user

 

After being a TDS user several years i looked at the TH, and being a home user or small business most of all myself keep with TDS, so we all have our reasons and visions and systems specifications, etc etc.
Really wished Rod Soto's anti-trojan site had stayed up with the information so we could have had better impressions for those who don't know the products.....
A discussion in a constructive way between developers could add to products involved and users information, as other ways are just waste of everybody's time and space.
Good, all agreed about this by now.

 

Well, I wouldn't mind a little contest between the various AT's. Let our best Trojanwriters send in their best work and let a third party do some tests with them with Anti Trojans. Should be fun.
Dolf

btw Andreas can prove than that TDS and TH are easy to fool

 

Would be a nice try ;o). A "proof of concept" trojan. On my birthday i have time to code such a "proof of concept".

 

Andreas,

Would you please provide an update to the Ant's Project at:

http://testcenter.ants-online.de/index.php

 

thanks! i was wondering where this thread was going!!

 

What we need here is cooperation instead of conflict. If TDS has weaknesses which Ants overcomes (and vice versa) then some form of cross licensing agreement might stop this ugly bickering and provide the best product for all concerned - the user community in particular.

It may be a shotgun wedding but think of the children it'll produce.