another trojan not found.

Discussion in 'Trojan Defence Suite' started by sometimesIwonder, Feb 8, 2004.

Thread Status:
Not open for further replies.
  1. Sometimes I wonder how are those 17 scanning techniques working. I've got a nice trojan here which is widely available on the web masquerading as an aol password stealer but it's a actually a puseudorootkit tool.
    The only programs that actully ID the file were BitDefender and Kav.
    TDS-3 missed it, Norton, Nod32, InoculateIT, VAT, Panda, AVG missed it.

    I know that once in a while TDS-3 might miss a thing or two but this is 4th in a row. Maybe my install is misconfigured? But I've tested it on subseven legends and it worked fine.
    oh well
    just a headsup
    The trojy is 90,530 bytes in length
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Have you submitted it to tds?

    submit@diamondcs.com.au

    Thanks. If it is not in the definitions it will be soon aftetr it is submitted I'm sure
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello sometimesIwonder
    Welcome!
    can you please be so kind as to send it zipped to submit@diamondcs.com.au and gavindcs@iinet.net.au for the quickest reply what is the matter with the file and why there are no alarms on it? Thanks!


    BTW: what's the name of the game? (the trojan i mean)
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Aaargggg i was 1 second slower! must be i'm on larger distant then you or time saving or because my message is larger!
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Yup! I've learned my lesson! I keep my answers brief so it increases my chances of being first!!! :p

    ;)
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I've sent several new ones for them to play with this weekend

    One looks to be a right so & so and difficult to stop/ cure/ even copy the dropped files


    Any anti virus /anti trojan is only as good as its definitions

    If they don't kinow about them, they can't include them, so any suspects, zip them up and send them off.

    I have been sending 3 or 4 suspects every week, that appear in the various forums I frequent and normally get a reply back within hours if not minutes and every time it's been included in that days updates.

    TDS is a very good program, but it will only stay good and at the top if we are responsible and send the suspects to be included
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    That's a very good point!!

    And, as you pointed out, TDS has a someone working full time to analyse trojans and provide the best definitions. Most if not all other AT companies cannot boast of this as is born out by theie slow rate of definitions updates compared with DCS's daily (weekday) updates.

    Still, there are some that will not be found immediately and this is the nature of this sort of field.
     
  8. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Yes

    It's a never ending war between the good guys and the bad guys and due to the nature of the war, we the good guys are always one step behind. We have to make a defence against the threat once it's out there in the wild.

    Unfortunately, the only total defence against the baddies is not to use computers and not to use the net.
     
  9. Yes I"ve sent that a long time ago.

    NsClean (BoClean) is pretty good with definition updates on average its every two days (including weekends). I have submitted the trojan on Friday to all good AV/AT companies, so far NsClean has added signatures for this baddy into their 02/07/04 definition update.

    Yes I know that we can never win the war but it's worth the fight.

    The only thing that takes me aback is the fact that TDS-3 for the past 1.5 months haven't been as "good" as it was in the past in detecting unknown variants of the trojans. (I was used to the the <Suspicous> file found) routine but lately, the last few trojans I've found TDS-3 didn't even give a peep.
    I think the scanning engine (heuritics) is becoming outdated. :'( Since I think the trojan writers are becoming smarter and are using newer tools at their disposal.
    I might be wrong, but from what I've observed this seems to be the case.

    I am not saying taht TDS-3 is bad, it's still one of the best at detection, and coupled with BoClean it gives a nice solid wall against infection (yeah I know, but BoClean has a very good memory scanner and will continously check the memory for infection thus just in case I download a trojan, execute it (new variant), both TDS-3 and Boclean stay silent (The trojan is now in memory), use my pc for a few days without shutting it off...boclean updates itself and finds the trojan, whereupon TDS-3 would have to be forced to scan the process list or I would have to re-execute the trojan...thus a coupled protection is golden).

    All of this means that hopefully the TDS-4 is right around the corner since the trojan writters are slowlly getting ahead of the detection techniques employed in TDS-3 (And now especially with rootkits around).
     
  10. monica_84

    monica_84 Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    31
    have u submited that trojan file to nod and

    trojan hunter also ?
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Please submit it again, I haven't received anything this weekend of that size, and if its not detected I have never received it submit@diamondcs.com.au

    A good idea to submit to the others too :)
     
Thread Status:
Not open for further replies.