Can TDS-3 detect Chinese trojans?

Discussion in 'Trojan Defence Suite' started by --?--, May 14, 2004.

Thread Status:
Not open for further replies.
  1. --?--

    --?-- Guest

    Strange question, eh? ;-)

    But I am wondering ... how do you operate the "server creator" if you do not understand its language?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello guest, TDS understands more then we think.
    Do there exist files completely and only written in chinese characters?
    Would they run on a windows system in other languages?
    Or would the translation be something like
    as your system most probably doesn't understand chinese code manually put the dangerous code in your vital root system and press the wipe clean button? read the helpfile for further instructions and translation?
    TDS is used a lot in China as well: if default system language is set on english it runs fine and detects what there is to be detected.
    Next generation will accept Chinese and other character based languages as well.
     
  3. --?--

    --?-- Guest

    @Jooske

    TDS will obviously detect a Chinese trojan if a respective signature has been created.

    I was just wondering how the DCS guys will make sure that they will catch any variants. Let's assume the following: DCS does not get a trojan submission but downloads a Chinese trojan from a hacker site. The trojan server can be configured in many different ways (let's say the server creator can build a packed standard server, a packed reverse (DLL) trojan, a non-packed standard server etc.)

    How do you figure this out and how do you make sure that you have created all server variants if you do not understand the language of the GUI (and do not want to waste too much time by trying out each and every button)?

    Btw.: I am just curious how DCS solves this problem and I admit that this question is not the most important one in the world ;-)
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Guess that will be in the same way as code written in other languages, imagine even nasty code written in dutch like yaha was dealt with (dutch is named water chinese of the north) and it's variants, so there must be professional ways.
    Maybe googling for it? using translation engines? good connections with people who actually are familiar with chinese/korean/japanese/vietnamese/hindi/arab languages? How do they deal with russian made nasty code, greek, all not english?

    Imagine we would conclude here the scanners would not be able to deal with those languages, would our systems be able to be infected with them in the first place? Or would such infections cause serious harm if the system would not be able to understand it?
    Imagine: an infection would paste itself to existing files, we would see file has changed. It would overwrite existing system files without changing the original name, we would detect modifications and a system maybe not running properly or not at all anymore if it would be able to overwrite at all as that command would not be understood if the code was all in chinese;
    we would in our hijackthis and autostartviewer logs see unknown code and investigate, no matter if it would be in european characters or chinese; they would not be able to run or started as our systems would not understand.

    BTW DiamondCS has chinese code detection, i sent in some samples myself so i do know that for sure.
     
  5. --?--

    --?-- Guest

    Just a clarification: I am talking about the GUI of the server creator. I do not assume that there is Russian assembler, Greek delphi, Chinese C++, or even Polish binary code ;-)
     
  6. 4A6F4A6F

    4A6F4A6F Registered Member

    Joined:
    Dec 23, 2003
    Posts:
    34
    Nautilus, you should also test a known trojan server with chinese characters in the filename and then start it, sometimes the server won´t work, but sometimes the server works and if the server works then start a memory scan with tds ;)
     
  7. gpdev

    gpdev Registered Member

    Joined:
    Jun 22, 2003
    Posts:
    12
    IDA bridges the language gap -
    It translates everything back to the universal assembly language :D
     
  8. --,--

    --,-- Guest

    Щкшпштфдднб Ш юююю

    [Switched from Kyrillic to English language:] Originally, I was just curious how DCS handles server editors with a foreign language GUI.

    But it seems that JoJo is right. I modified the filename of well-known Theef 2 beta 5 trojan server which is detected by TDS-3. Just a few kyrillic letters were added to the file name.

    It seems that TDS-3 cannot detect the (fully functional) server due to this modificiation. I believe that the file is "locked" from TDS-3 ... Memory scan also seems to fail.

    Kaspersky Anti-Virus and Ewido Security Suite also fail to detect this sample!

    NOD32 /AH fails to detect this sample if the sample itself is scanned. The sample is detected, however, if the entire folder is scanned ...

    I have sent the sample to Gavin, Tobias and Kaspersky. Perhaps one of them can tell us what's going on.
     
  9. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    This is a known issue - TDS3 (like most scanners, as noted by the anonymous poster) only has partial unicode support as its target audience is English users, but the soon-to-be-released TDS4 already has full unicode and multi-language support. Most trojans aren't unicode-compatible though, so most EditServers don't allow you to use unicode filenames.

    In regards to your first question, it doesn't matter whether the trojan author speaks Chinese or English, we can add detection for any program. Yes it does make the EditServer server generation process a bit slower in some cases, but it has never really been a problem.

    Best regards,
    Wayne
     
  10. --?--

    --?-- Guest

    At least TDS-3 & ESS will display a warning that the unicode file is "locked". This may help the user to figure out that something strange is going on.

    By contrast, KAV 4.5 says nothing ... (Haven't tried KAV 5 yet.)
     
  11. Schouw

    Schouw AV Expert

    Joined:
    Jan 4, 2004
    Posts:
    29
    Location:
    Netherlands
    Known issue for KAV 4.x
    Fixed in KAV 5.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks schout for the updating!
     
Thread Status:
Not open for further replies.