Any good free trojan cleaners/detectors out there?

Hi chameleon1

Im happy to go with what you suggest as I believe it may serve SOME purpose. However I would still like to see a large scale test involving several thousand trojans with various modifications of each.

How do you suggest I conatct you as I guess Paul wont let us post contact details here and Im not happy to post my email here.

Regards,

ChrisP

 

Intressting discussion but the point is that AT don't compete against AV. They are simply designed to run in addition to AV software to cover a area of malware that most AV vendors ignored for some time: Backdoor trojans.

The truth is that some AV software is in terms of backdoor detection worse than some AT's and vice versa.

In the past most AV software simply ignored the backdoor trojan problem. This gave the opportunity for a lot of small companies to get into this business. Today the situation changed. Nearly all AV programs catch backdoor trojans as well. Sometimes AV programs offer already faster detection for a new backdoor trojan than trojans users realise that there is a new version of their favourite toy.

This has again changed the situation again: The trojan users (script kiddies) now are more forced to manipulate the server to avoid detection. The most easiest way to do so is packing or crypting the trojan. And this is the case where most AV programs show again weakness. So as long as AV companies ignoring again this problem there is a case for AT programs but not for all.

If the AT scanner just offers file scanning (without unpacking) as the only detection method this kind of software can be considered as useless as AV software without offering an answer to the packing threat.

The future case for AT software is to offer additional feature mainly to help detecting unknown or modified trojans which get beyond the defense line of the AV software.

Another problem here is also that most tests where AV software is tested against backdoor trojans are maninly crap (even those from most big testing sites). Nearly all test have at least one of the following flaws:

a) none trojan files are included in the testset (client, edit servers, etc.)
b) 10 to 15 year old MS DOS trojan crap is included in the testset (ATs are designed to detect modern backdoor trojans and not historical DOS trojan which is something the AV software anyhow covers)
c) the testset does not include modified or packed files (mostly is just the unchanged files downloaded from a trojan site)
d) trojans are not executed - all good AT programs offer additional detection with a memory scan, so just testing file scanning

wizard

 

re: Wizard

I have nothing to add. You are simply right.


@ ChrisP

Just pick a trojan and make your choice. Possibly, I will not need your contact details at all.

 

Well, presumably you will find it a bit tricky to contact me.

Lets say subseven1

 

Which version of subseven?

 

I strongly suggest to use Subseven 2.15 since it will run under Windows XP.

Is this o.k. for you, Chris. Do you have this trojan?

 

Im happy with that.

 

Forgit to say - no I dont have it. May be able to download it this Sat PM

 

After reading most of this thread I tried to follow the link to download 'ewido' But the site does nothing, whichever download button I press, can anyone help?

 

Hi ecordle

Did u try here,

http://www.ewido.net/en/?section=downloads

seems to be working ok for me.




snowbound

 

Hi there Snowbound,

Sorry All, Problem was my end, any how, I used DLExpert and downloaded it no probs.
Just going offline to install, I'll let you know how it goes.

ED

 

HI

Downloaded ewido And scanned. Found TrojanSpy Gologger 1.0
This was in Norton and in the system restore. Just wanted to check if this is a false +ve and something needed by Norton?

My guess is that having a name, it must be genuine.

Otherwise, happy that at least ewido seems user friendly for the beginner, i.e. you don't have to understand all the ins and outs to get started.

Thanks for the tip, I'm happy!

Ed

 

Pardon me folks....off topic: but this may effect users of ewido and all scanners....

http://www.wilderssecurity.com/showthread.php?t=25140;start=new;boardseen=1

Again please pardon the ot.

 

@ChrisP

Sub7 is almost too easy ;-) But it will be a good example since it's probably the most well-known trojan in the world (i.e., ANY scanner should easily detect it).

Let's do the following:

instructions 1 -5 removed. Please take this to private mail or PM, since we do not allow instructions/info about handling trojans/backdoors over on this board - paul

6.
Voila ... F-Secure should not detect it anymore. Ewido, Kaspersky, NOD32 & Trojan Hunter's file scanner will also fail.

The TDS-3 file scanner will detect a "suspicious file" (an experienced hacker could easily find a work around but may forget to do so). That's why I always say ... never underestimate the MANY MANY weak signatures and other detection tricks used by TDS ;-)

By contrast, a dedicated memory scanner should catch it. Let's see what's happening ...

TDS will easily detect it. The same applies to BOClean. And Trojan Hunter ... well I invite everyone to try it out ;-)

 

pm ? ok can i have such a pm ?

 

@Paul

Can you or someone else confirm that the instructions were correct? This should suffice in order to convince ChrisP that an AT scanner can be useful.

(For everybody who missed it: a well-known compressor (this time not Armadillo ;-) was mentioned. Alas, nothing spectacular. The main reason for the detailed step-by-step instructions was to demonstrate that it really takes no more than 10 seconds to make a trojan undetected.)

 

@Paul

I will not post any detailed instructions again. (Please note, however, that my instructions were not that dangerous since I did not post a crack for the commercial protector. I merely directed to the trial version which includes a compulsory pop-up window that will alert any potential victim.)

Moreover, have a look at what's going on ITW. There is a huge "how to make a trojan undetected" thread in one of the most popular RAT boards. Moreover, they have re-upped the crack for the TDS-3 signature database etc. Thousands of malevolent people are reading this.

Therefore, I believe that you can only help people if you to tell them the truth:

There is no perfect scanner. And it does make sense to use several scanners including innovative newcomers like ewido. And a firewall. And Process Guard.

Sometimes, it may even be necessary to shock people who are too focused on marketing. Everyone should bear in mind: the primary aim of every AV/AT producer is to make money. Your security is only a possible side-effect.

(But I won't post any detailed instructions again. ;-)

 

chameleon1: mhh no new pm , but maybe i´m right and you mean a commercial protector, packer like armadillo or something like that, right ?

 

@JoJo

guests cannot access PM feature. your assumption is correct. the matter was not that exciting. an experienced person like you will know this stuff anyway.

 

Hi chameleon1,

I have not had a chance to try what you detailed (I did see it in time) but I WILL give it a go Tuesday.

I guess it is just packing the trojan in a way that F-Secure cant unpack.

As I have not done it yet, Im assuming that if the app was to be run the real time scanner fo F-Secure would detect it in memory?

I know all this is to counter my argument that AT are not as good as AVs - but from what I have seen, the method you describe not only outsmarts F-Secure, but Trojanhunter and TDS - so as far as I can see it has not helped in demonstrating that ATs have some mystical ability to detect that AVs dont.

Interesting though that it is that easy to modify a trojan so that TDS etc cant detect it.

 

No. The on-access-scanner of F-Secure should not detect it. This is because were are not talking about self-extracting archives (like WinZIP, WinRAR) but about run-time compression (--> this means that decompression will take place in memory only).

F-Secure does not have a real memory scanner. TDS and BOClean have one. TH has one as well but something went wrong with it ...

TDS was not outsmarted. Even it's file scanner detected it (with the help of a relatively cheap trick). But who cares? Detected is detected. Moreover, BOClean was not outsmarted.

AT scanner's abilities are not mystical at all. Their main advantage is a memory scanner. I know that some AV's claim to have a mem scanner, too. But this a lie. Plain and simple. Usually, they claim to have a mem scanner when they do the following: scan any processes running in memory with the file scanner. Nice joke, eh?

Some other ATs (ewido) feature a so-called emulation in connection with strong signatures. This may also be helpful if someone tries to bypass a scanner. (It would require a different example in order to demonstrate this. But I have promised Paul to not post any detailed instructions ;-)

 

really interesting thread!

@chameleon1
May I ask you one question? I've heard that Dr.Web has true process memory scan function. Have you ever tested Dr.Web? What do you think of Dr.Web's memory scan? Why I ask you this question is that I can purchase Virus Chaser(Dr.Web's clone) at a low price.
http://www.viruschaser.com/Eng/index.jsp

btw,I'm using ESS for a while, I don't know well about this product because I don't have many malicious programs like other Wilders' members, but I can say one thing ESS's support is really excellent.

Best Regards

 

@Sumire

I just had a brief look at Dr. Web's "mem scanner". I was not really impressed (i.e., it's not a good replacement for a dedicated mem scanner). At the moment, I do not want to answer the question whether the Dr. Web mem scanner is a "fake" or not. This would require further examination.