Can TDS detect ...?

Discussion in 'Trojan Defence Suite' started by imamuddin, May 15, 2003.

Thread Status:
Not open for further replies.
  1. imamuddin

    imamuddin Guest

    Hello!!!!

    Can TDS detect trojan.PSWQQthief.16, Trojan.Win32.FlashZero.a, Joke.Win.Jep-Russ, JS.GEOVISIT. I am at cross road. As I tried some Anti Trojan Utilities liike Antiy Ghostbusters, SpyGuardian etc which shows different infections of type mentioned above and many other. AntiTrojan5.5 does not show anything at all. TrojanHunter shows some very different files with warning and seperating them to temp folder. I tried onloine test at kesperesky.com it shows no infection. But I found that its list of trojans and viruses does not have entires of the abovementioned trojans. May be that is why it is not showing infection.

    Can any one tell me where TDS-3 stands against all those anti trojan utilities and can it detect and eliminate them?

    Thanks and Regards,

    Imamuddin
     
  2. xor

    xor Guest

    trojan.PSWQQthief.16 - it should
    Trojan.Win32.FlashZero.a - it should
    Joke.Win.Jep-Russ - no because this is a joke virus
    JS.GEOVISIT - no because this is a JAVASCRIPT Worm

    Michael
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello, imamuddin
    Yes, It is in the TDS3 primary list
    Not in the primary list or anyway not using that name but TDS3 has many ways of detecting Trojans. I am sure the Gavin (DCS) will give you a definitive answer.

    You can DL a a 30 day trial from : http://tds.diamondcs.com.au/index.php?page=download , if you decide to trial it you can get the latest radius files from here: http://tds.diamondcs.com.au/radius.td3
    [24741 references - 8057 primaries/6560 traces/10124 variants/other]

    HTH Pilli
     
  4. imamuddin

    imamuddin Guest

    Hello Pilli && XOR!!!

    Thanks.

    Let me give it a try and c.

    Regards.

    Imamuddin
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there!
    The JS should be detected and blocked by WormGuard, so give that a try too, once you're downloading anyway.

    Do you have those nasties on your system or how did you come to this question?
     
  6. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    JS is not detected..
    Joke.Win32.JepRuss is detected

    At least one others should be detected, if you have suspect files just email them in for examination submit@diamondcs.com.au

    Over the weekend feel free to PM me here and I will give you an email address to send them to me at home ;)
     
  7. imamuddin

    imamuddin Guest

    Hello TDS-3ians!

    I downloaded and updated TDS-3 with latest Rule set. However it failed to point to those trojans and worms I questioned for. I did not found them in primary list as well. So it obviously can not detect.

    Let me check some other AT.

    thanks and regards.

    Imamuddin
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    imamuddin - I've really got to question whether or not those "results" you're getting from AntiGhostBusters (?) and SpyGuardian (?) are nothing but false positves by those respective programs - and not a "failure to detect" by TDS.

    Instead of running around trying different programs for confirmation, why don't you simply submit the results you got from the first two to their vendors and see if they can give you some input into whether they were simply "false positives" or not? Pete
     
  9. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Very good advice Pete :)

    Either way, if anybody ever believes they have a file that isn't detected by TDS, all they have to do is send it to support@diamondcs.com.au and we'll verify whether or not it's applicable to add detection for, and if detection is applicable we'll normally add it within 6 hours.
     
  10. SmackDown

    SmackDown Guest

    Seems, like your program is giving you false alarm, as in this thread. http://www.misec.net/forum/?board=TrojanHunter;action=display;num=1053006050;start=


    Have you sent Vampirefo1 the files?
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Look, i ever tried out (betatesting) another product, and was rather surprised by several detections. I sent the complete log to Gavin, who was kind enough to look through it and several samples it alarmed on.
    False, false, false and alarms on the leaktest etc.. I was of course already alarmed as it alerted on a list of herbs for recipes for food, anyway, if there was anything usuable anyway it is in the primaries for TDS or who knows in further WormGuard detection, refining at least.


    For the files found, if you know they are there, why hesitate any moment longer, just send them in to the serious developers who can tell you if they are a real threat or not.

    If you read Javacool's story for people trying tyo cloner his databases, there are included some nasty's detections which don't excist and enable him to trace back to the copycat of his software. He is most certainly not the only coder adding his signature in such ways.

    So if you have the files, in whatever way they got there, just send them in for the wellbeing of the whole internet.
    Thanks a lot.
     
  12. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Folks, it's good to be aware that many freeware scanners are prone to false alarms. Don't get me wrong, freeware programs are great - they provide you with a free service, and indeed we offer many freeware programs ourself. However, freeware programs shouldn't be completely relied on when it comes to SECURITY. (Would you lock your front door with a lock that somebody you didn't know gave you for free?). Freeware security scanners are always relatively unsupported, infrequently updated, and as they don't make the author any money (and only cost them time due to support), they're not paid much attention. This isn't the case with commercial/shareware applications, so I encourage you to make such decisions wisely :)

    Personally, and speaking from experience, I think freeware is excellent - it allows you to do many things easily, and at no cost, but when it comes to something as critical as security you simply can't rely on freeware to do the job adequately.
     
  13. SmackDown

    SmackDown Guest

    Hi, Wayne, I agree with what you said about freeware, but these programs aren't freeware they are shareware, meaning they cost money. :D :D
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Extra reason to send the samples to the developers. Did you in the meantime submit them to the TDS lab to look for you what's the matter with the files?
    Even if you might not see a specific name in the primaries wouldn't mean it would not be detected, as there are so many ways of detecting malicious code, it would be alarmed as "suspicious" for instance, while WormGuard would block and alarm on the scripts and more worm specific stuff and Port Explorer show you immediately possible outbound connections, while --if there would be any application behind those--these would not even be able to run at all with TDS registered version with exec protection installed.
    So why worry?
    Submit the nasties and let's have a professional answer!
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Sorry TDS couldn't detect those false positives :D

    If you are ever unsure just send the files to submit@diamondcs.com.au and we will professionally analyse them for you. This includes full disassembly whenever the file is suspect at ALL, and we will of course then run the file(s) on test machines.
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Imamuddin,
    i wonder if you read the answers and serious advices you get on the various forums. Fortunately most serious posters do and help users in different forums where possible as we do take security serious for ourselves and the internet community as a whole. and because we love the tools we found we also love to help other users with them.
    You posted for instance you had to trash two other AT products because you had not given yourself time to look deeper into them and test them for your needs on your system. This is a deep pity and i am really sorry for you, your waste of time and money.
    Why do you think we always adviceshop around and look deeper into the products and ask questions, but also please to read the answers you get?
    The products you are looking for have a 30 day trial period and the serious support and information can help you with your questions. Be asured the developers know each other, so do the users and the posters, and we do know very well the backgrounds of poster X telling a story about product A or B. See in one of the threads here for instance how several developers posted and because of enlightment of the one about the matter another one is helped to solve his detection, etc. (See the "polymorphic trojan example" in the stickies here)
    Of course they are among the posters, they keep all feeling with the community.
    You see them all describing KAV setting the standards.
    You have seen people taking the trouble to d/l the program you seem to trust so much, test the software you got alarms on and of which finds everybody in the forums tell you these are false positives.
    They all have given you the same advice about that software, i hope you got it as a trial and did not pay for it yet, another time of wastime and money.
    People wrote you several times the trojans you mention are detected with TDS and are even in the primary list and you write "they are not even in the primary list" so i can just ask if you did take the trouble to really update the radius database after installing the product?
    Did you install WormGuard to block your script and joke things?
    Did you read that even if a thing is not by that name in the list chances are high TDS detects them anyway as it doesn't detect by name nastyX but by code and many other ways?

    Tell you what?
    You install TDS properly, update the database, configure with all options checked and on highest sensitivity, when it's ready you give us a screenshot here with the full GUI and the finds,
    (if you don't have a screenshot program just click alt+printscreen, open Paint and paste the image in, save as gif or jpg to reduce size and post it here)
    you rightclick on one of the files and choose "save to textfile" which is Scandump.txt, which is located in the TDS-3 directory; locate that file and post it here.
    Next you click on any of the suspicious files you have questions about and it would be prefered if you zip them and send them to submit@diamondcs.com.au.
    Gavin will most certainly offer some of his spare time where possible to look in your alerts log of the other program you use (post it here please, so we can help locate info for you in the meantime) and will ask you for files which might look suspicious in his opinion to test them for you.
    All this will save you bunches of time, worries, gray hairs, and is a very good learning oportunity to give better advices in future and now to the people who are awaiting your opinions now and who --as you posted in the other forum-- can't wait two days more for you testing the best solution. And this all for a user who has not registered any of the DCS software yet.
    Now you are a business person so you must really be able to appreciate all this service, all for free and by so many users who are not paid a dime to help you with your questions. Don't ask why, probably art of living.
    TDS Cuckericooos it wants coffee so i'll make some now.
    Half past 6 in on a sunday morning, but ok.
    Really looking forward to your next experiences in the meantime.
     
Thread Status:
Not open for further replies.