AT Question

Discussion in 'other anti-trojan software' started by Bethrezen, Oct 18, 2003.

Thread Status:
Not open for further replies.
  1. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    Hi all

    Was just reading a post over at the Spyblocker forums while I was there checking the one need help and I happened upon this post by Zev0 (thanks for the heads up Zev)

    http://spyblocker-software.com/IPB/index.php?showtopic=489&hl=

    My concern right now is not so much the fact that there is some new bad news Trojan on the block this is nothing new

    No my concern is making sure I'm protected from this and other such exploits which at this time I'm not because I don't have an AT yet as there are no really good free ATs available so my question is this is there an AT that's really easy to use and newbie friendly but is powerful like TDS

    Now in that post they recommend Trojan Hunter as they say its almost as powerful as TDS but way easer to use I wanted to know if this if true or just another bogus review like iv seen some many times before because if so then I may well invest in a copy for my self as I think TDS is a lil to technical for me being only a computer novice

    Any comments experiences with this program appreciated

    Blessed Be
     
  2. hayc59

    hayc59 Guest

  3. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Quote from Wayne at the TDS forum.
    Here is another quote:
    In fact, TDS is the only AT to handle this type of trojans when executed.

    And for the easy way to use TDS look here:
    https://www.wilderssecurity.com/showthread.php?t=12743
    Dolf
     
  4. solarpowered candle

    solarpowered candle Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    1,181
    Location:
    new zealand
    As for the ease of use , its very easy to use in order to update and to preform a complete scan . Thats all I use it for , and I dont feel bad about not being into the rest of the many things that some like to do with it. I just want a anti trojan that will do its job most effectively and with simplicity , And Tds 3 does that . by providing sound anti trojan protection.with one or two clickz.
     
  5. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    If you think you are a computer novice, you definitely should go for TDS.
    I never scan (besides Internet downloads), just relying on the ExecProtection.
    Just keep the program up-to-date and you are as safe as possible.
    Dolf
     
  6. ReGen

    ReGen Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    61
    Location:
    Scotland UK
    Hi Bethrezen. Trojan Hunter has a very friendly user interface, is extremely easy to use and has a lot of power that can be put to good use should you want to.

    The following quote from DCS :

    “We know of one anti-trojan program in particular that actually injects code into infected processes to try and disinfect the trojan, but this is too dangerous and fraught with danger - it's doing exactly what the trojan does, by injecting code into an existing process. It's not an acceptable option for a professional anti-trojan program like TDS”

    Is really just scare mongering from the competition. TH successfully removes the Beast Trojan (and other known injecting Trojans should they exist), without any reported problems at the TH forum (Just success stories). As soon as this Trojan is detected in memory or during a file scan, it can automatically be removed without having to restart your PC and then removing various dll’s.
    TH 3.7 also has ‘shut down’ protection for its memory monitoring program (TH Guard) that prevents it being shut down should any Trojan try, ensuring you’re always protected.

    Trial both programs (TH and TDS3) and see which you prefer. Both offer a decent amount of protection. :)

    TH forum: http://www.misec.net/forum/
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    >Is really just scare mongering from the competition

    I'd rather call it "speak from decennia long experience" and serious advice from a top notch developer whose goal is to give people even more then a safe pc experience, also educating users and keep it a happy experience.
    No software was named by name, and i remind you this was quoted from the private licensed TDS operators only forum so nobody needed to be convinced or being won from a co-collegue's product.
    It was part of our private education to be well informed without hurting anybody --might be one reason why we were reminded in private to this fact, which anybody can find anywhere on internet in software descriptions and in forums.




    SolarPower, TDS you can make as difficult as you want, just keep the system clean and protected or add a few scripts in the same time to steer your whole life all voice commanded and lots more practicle for your protection as you'll have seen in the scripting forum!
    I love to see the people being creative and find each time more areas they want being watched over or solved in very smart ways.
    Be prepared for the world screaming with each new product the DCS stable releases. Like you asked for: the programs actually work.
    We DCS mods prepare ourselves with all the tips and education all time to be able to support other users to the best we can.
    I don't need boxing gloves, we just support honesty honest top notch quality products.


    Edited:
    correction: DCS mods and users ...... as you can see all over internet.
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Regen,

    Let's keep two things separated here: the developper quoted above is making a statement concerning the method used in this context ;) - stating it's a dangerous one he doesn't opt for.

    This does not imply the method would not work as for example The Beast is concerned; it's merely pointing to the differences in technical approach by - in this case - two antitrojans.

    IMHO that's far from scare mongering: it's pointing out the differences in design and consequently in software behaviour.

    I do agree it's up to each and everyone to decide which software s/he feels most comfortable with, keeping all issues into account - the one mentioned above as well ;)

    regards.

    paul
     
  9. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Actually, it's very important for a trojan scanner to be able to clean process-injecting trojans correctly. Having to reboot to "clean" the trojan just doesn't cut it. Why? When cleaning a trojan by doing this the trojan scanner has to add an entry to the registry (or a .ini-file in the case of Windows 9x). Now consider the following: What happens if the trojan removes the "rename on next boot" entry before the reboot happens? That's right, the trojan won't be cleaned at all, and will still be running in memory, leaving the user vulnerable to attack. The user might even think the trojan has been dealt with as his trojan scanner told him "the trojan will be removed on reboot" when in fact it has not been cleaned at all.

    Sure, you could argue that the user could reboot into safe mode and remove the trojan manually. The point is, though, that a trojan scanner should be able to correctly clean a trojan without the user having to resort to manually fiddling in safe mode to remove it. What do you do if the user isn't that familiar with his computer and doesn't know how to clean the trojan himself? Have him wait for a couple of days to get in touch with tech support and all the while leave the trojan running on his system?
     
  10. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    A few things people deserve to know.

    *sigh* Here we go again.

    Magnus, I was seriously hoping to avoid replying to your comments, but there is no way I can ignore this one because you're directly pulling us into it now by implying our scanner can't deal with these trojans "correctly", so I have no choice but to respond.

    Define "clean correctly". Let's forget how you do it and forget how I do it, and look at how a reputable anti-virus scanner does it - Kaspersky. It cleans it by marking the file to be deleted at next reboot.

    The technique you use is the same that process-injecting trojans use to infect systems -- inject code into the process. That is completely unacceptable and essentially violates security, and on top of that you're not using your own code to do this, you're using a 3rd-party code-injection library ("Madshi") to do the code injection for you so you have very little control over what it actually does with the target process, so it's not surprising you're getting a lot of people reporting crashes at your forum.

    You also use this code injection technique to protect your scanner against TerminateProcess (which involves injecting a DLL into every process in the system, which is not only very insidious, but also results in a big performance hit), but it's still vulnerable to a variety of other termination techniques (including EIP modification, code modification, thread termination, and so on). The _only_ way to properly protect against this is from a kernel-level driver (and yes, we've developed a program that does this and we'll be releasing it this week). The techniques you use are all user-level, so they'll _always_ be vulnerable to trojans so I find it amazing that you're here making these comments as if your scanner was bulletproof and ours was incapable, when it seems that maybe the opposite is true.

    Anyway, people deserve to know the truth, so I'm glad you raised the subject.
     
  11. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    (Yawn.) TDS wasn't mentioned even once in my post, but you obviously feel the need to start this debate all over again. You must feel very threatened by TrojanHunter. I guess I should take that as a compliment :) Peter Sztor of Symantec Anti-Virus Research describes memory disinfection in this paper, if you think it will help you: http://securityresponse.symantec.com/avcenter/reference/memory.scanning.winnt.pdf

    Folks, Wayne disassembled TrojanHunter to find out how its process-injection cleaning works right after version 3.7 was released. Why would he literally throw himself over the TrojanHunter code to examine it if he didn't think this technique was important? Unfortunately he failed to implement it in TDS, so he's resorting to trying to attack the method. In fact, Wayne was so interested in how the technique worked that he violated the TrojanHunter license agreement to disassmble the program and then posted about it over at DSLReports, trying to attack TrojanHunter. Don't you have better things to do with your time Wayne? And while we're at it: What happens when a trojan removes your reboot entry? I'm sure everyone would like to hear your response.
     
  12. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Magnus, you're attacking all other anti-trojan scanners and promoting your own by saying it's the only anti-trojan scanner that can "properly" deal with process-injecting trojans, so of course I have to respond. But your scanner itself injects code into _EVERY_ process on the system (just as process-injecting trojans do, although trojans usually use their own code for the injection). I'm amazed you find that acceptable, because it seems to go against what you say. Why would you not build a kernel-level (ie. driver-based) solution, which would prevent _ALL_ of the attacks I described above (but without having to inject code into any processes), rather than injecting code into every process on the system and only preventing one user-mode attack?

    > Unfortunately he failed to implement it in TDS, so he's resorting to trying to attack the method.
    I _refuse_ to inject code into other processes on my clients computers. We write security software, not security violation software. We've already solved this problem by creating a kernel-mode driver-based program which anyone can use to secure _all_ of their security processes from all known process termination and code modification attacks, both kernel-mode and user-mode. Case closed, although it seems you still have much work to do.
     
  13. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Wow, talk about avoiding the issue. TrojanHunter doesn't inject code into all running processes to clean a trojan. It only injects code into the infected process to remove the trojan, and this procedure works perfectly - there has not been one single report of a crash when cleaning process-injecting trojans. Quite the contrary, people have been happy that TrojanHunter was able to clean the trojan that was running when other scanners failed. By the way, you still haven't answered my question: What happens when a trojan removes your reboot entry? And since you're so keen on the "rename-on-reboot" thing: What happens when a trojan renames your driver on reboot? And since we're speaking of software that isn't actually available right now (your driver): What protection does the current version of TDS offer against TerminateProcess attacks? Perhaps these are questions you need to think about before you start attacking other scanners.
     
  14. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    No - just by running Trojan Hunter you'll have one of its DLLs running inside every process on the system that it can get access to.

    Anyway, this is beyond a joke. You can glamorize about this trojan and your code-injecting disinfection method all you like but everyone knows the truth now. Regardless, it's trivial compared to what we've got coming out next week (a true kernel-mode process termination solution that doesn't involve anything insidious like code injection or anything weakly obscure like random filenames (which Trojan Hunter used to do, so it's amusing you now promote the fact that you don't do that)) so if you want to keep wasting time here feel free to do so, but we've got more productive things to do.
     
  15. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Nope, that's not code injection. It's the same thing that happens when you register a right-click shell extension - another DLL gets loaded. Are you going to start calling shell extensions a stability problem too now? And you still haven't answered my question: What happens when a trojan renames your driver on reboot? I think most people can figure out the answer by now by your unwilligness to respond. ;)
     
  16. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    I'll happily respond to that, but I think enough has been said for now about The Beast. Only our two scanners seem to show any sign of holding their own against The Beast so we'll just let it rest at that and let everyone make up their own mind. (Next round of drinks is on you)

    Before marking the DLL for deletion at reboot it must be neutralised, or it could 'unmark' itself from deletion as you correctly suggested. There are many ways to do this, although only a few that are safe but they work very well. The result is that The Beast's DLL remains resident, but essentially in a suspended/dead state so it can't fight back in any way so it doesn't matter how long you wait for a reboot.
     
  17. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Amazing, Wayne. I'm glad you finally see the real issue. Couldn't we have agreed on this in the beginning? ;)
     
  18. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    What, you getting the next round of drinks?
     
  19. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Sure, I'll buy you a drink if I ever visit Perth ;)
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    For this kind of discussions among developers was urgently asked to do so behind the screens in a special developers only forum where you guys can discuss details far more constructive in stead of all seeing respected developers from top products discussing things the public can't understand in details nor the importance of them. We public can only feel sad for both of you and we just hope it leads somehow to better understanding and good products anyway.
    Peace gentlemen, please as it might be although both visions and ways differ a lot both ways might have their value and both have their devoted and respected users.


    Very wise you didn't start with the drinks first to keep it at least looking serious --
    and it gave an opportunity to explain the why this and not that for what reasons --
    anyway seems drinks are on the way after all!
    http://diamondcs.com.au/forum/images/smilies/cheers.gif
    Keep them http://diamondcs.com.au/forum/images/smilies/hammer.gif those nasties!
     
  21. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Jooske, well said, you've put us both to shame :)

    But what can we say ... we're (too?) passionate about our work :)

    To many people, trojans, like viruses, are just an annoyance - something to be avoided at all cost, and something that everyone hopes will never infect their system. But to people like myself and Magnus, they're the most fascinating things, and we devote our lives to researching them and finding ways to detect and counter them. So I hope people can understand why Magnus and myself are so passionate about what we do, but also understand that there is never anything personal here - this is purely business (I know that and Magnus knows that), and Magnus and I have a lot of mutual respect for each other in what we do so don't read too much into this. :)
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I know, that devotion is radianting all around and you both created many serious fans with it :)
    [​IMG]
    See a whole party on the rooftops, some will be appropriate for this situation.
    I think from discussing problems with different points of view good new things can grow and will be needed more by the day now the trojan/worms world is more complicated by the day and growing uncontrolled own new unforseen mutants the original creators have no answers for either. It's a whole hidden world there in the cyber world!
    Anyway we're looking forward to your guys pre-release party injections!
    This business talk is not the reason why your Yoda avatar seems to have a blue eye all of a sudden? Or is that a cyber injection too? Look out with those recycled electrons, ask for pure natural without artificial preservatives in those trojans!
     
  23. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    Hi Magnus, there are a few methods to protect your driver from being removed, which the program/driver protects itself against at the moment. Plus as I am sure you know from looking at some rootkits, it is possible to do almost anything when you are at the kernel level.

    Maybe you should start recommending your customers use this when its released instead of your current madshi method. :)
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Ah Jason is there to mix the drinks! And mixing programs and developers if i see that right?
    Next build in the console a menu option to start the other program. Hey.... thought that was my program? No problem, working together on protecting the users even better.
     
  25. ReGen

    ReGen Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    61
    Location:
    Scotland UK
    Bethrezen:
    As I stated before both products (TH and TDS-3) are very much worth investigating with a view to purchase. (TH was my final choice). Luckily we have a lot of Top Notch programmers working for lots of competing companies, and that allows us the freedom of choice in obtaining the high level of security we would all like for our work and home PC’s.
    I have registered programs from both companies in question and a lot of others besides, all of which have been purchased by personal judgement along with a little guidance from security forums like this. It’s always important to remember though, when taking advice nearly everyone becomes biased towards a product they use, sometimes resulting in unintentional blinkered answers to the questions you may pose. So it’s always better to try and get a reasonably balanced view from people that use different products and from a range of security forums. But IMHO which ever AT you decide to go with (TH or TDS-3) you’ll be very well protected and receive good support should the need arise. :)

    Paul:
    Perhaps saying “scare mongering” was an incorrect usage of words, but IMO saying something’s ‘Dangerous’ when indirectly pointing a finger, is also pretty expressive, especially as not one problem has been reported (even during beta testing) whilst using the technique Magnus has coded. But, every developer has his own opinion.
    I’m really glad to see an almost healthy outcome to this thread, and just hope Bethrezen hasn’t been frightened off, checks out both AT programs and any others he may wish to, and then makes a judged opinion for himself along with a little balanced help from this forum and others. :)

    Jason:
    As a backup to an already working solution for TH, your new program will come in very handy. I’m really looking forward to testing it. Sounds like it’ll be a great addition to the arsenal, and what’s more - it’s free (I think)! What more could a person ask for? :)

    (Sorry if I've got it wrong about your new program being free, I'm just getting used to you releasing lots of freebies) :)
     
Thread Status:
Not open for further replies.