False Positive Today-Syslogd.exe

Discussion in 'Trojan Defence Suite' started by n0mad, Feb 6, 2005.

Thread Status:
Not open for further replies.
  1. n0mad

    n0mad Registered Member

    Joined:
    Jan 4, 2003
    Posts:
    8
    Location:
    Mississippi
    Started my TDS3 and recieved this:

    Scan Control Dumped @ 23:27:10 05-02-05 Positive identification: DDoS.RAT.rBot.apk File: c:\program files\syslogd\syslogd.exe

    I submitted this to Diamond Labs. This post is mostly informative, I will post back with results.

    Anyone else seeing this? :ninja:
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Is that the standard version of Kiwi Syslog Daemon? My service version does not have a syslogd.exe but a syslogd_service.exe and scanning the program folder did not produce similar results.

    Regards,

    CrazyM
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Doesn't seem right at all.. try a different database location if a registered user, do you still get the alarm ?
     
  4. n0mad

    n0mad Registered Member

    Joined:
    Jan 4, 2003
    Posts:
    8
    Location:
    Mississippi
    Gavin, Im using Syslog daemeon 7.1.4 freeware version with Sygate personal firewall Pro 5.5 build 2710 on a Pentium 4 system with XP home. I am a registered user of TDS3.

    Please explain the different database location. I thought about deleting the Syslog program and setting it up again to see if I get the same alarm. This comes on the Mutex Memory scan at start up, also if I tell TDS3 to rescan the file, I also get the alert. o_O

    edit: Gavin I deleted my old Syslog and downloaded the newest daemeon version from the Kiwi website. I still get the same alert as before. I will mention that this is the non-service version of 7.1.4 Kiwi Syslog daemeon version.
     
    Last edited: Feb 6, 2005
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    What GAvin is saying is to try and download the latest update file from a different location

    look in your update.cfg file and see which server is listed at the top

    then download the new update cfg file from TDS home page and then do a manual install of the database and see if you get a different reading
     
  6. n0mad

    n0mad Registered Member

    Joined:
    Jan 4, 2003
    Posts:
    8
    Location:
    Mississippi
    Ok, here is the deal. I updated my radius files manually. It still indicates the alarm in the GUI. I go to my logs and it says there were no trojan mutex's found and gives no idication that anything was found.

    Other than the shown indication at the bottom of the opening screen the logs says everything is fine. I will wait for a response from Diamond labs about the file I sent them. :cool:

    Damn, I need a cup of coffee!
     
  7. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    I also get a warning with Kiwi (two in fact), the first when I do a Process memory scan, the second warning when I run Kiwi

    Scan Control Dumped @ 23:48:18 06-02-05
    Live trojan found (in process memory): Unknown Trojan
    File: C:\Program Files\Syslogd\Syslogd_Service.exe
    Positive identification: DDoS.RAT.rBot.apk
    File: c:\program files\syslogd\syslogd_manager.exe

    both files have been submitted

    EDIT: I am running the service version of Kiwi
     
  8. n0mad

    n0mad Registered Member

    Joined:
    Jan 4, 2003
    Posts:
    8
    Location:
    Mississippi
    New Radius updates today (2/7/2005) seem to have cleared up the issue for me. Diamond Labs have still not replied and when they do I will post here.

    I would like to thank Gavin and the Gang at Diamond Labs for giving such a powerful tool against the "Bad Guys", utmost confidence in these guys and gals and their wonderful product!

    --Disclaimer-- I am not, nor have I ever been a employee of Diamond Labs. This is not a paid advertisement for the product, just an honest opinion. Good Day M8s!

    :cool:
     
  9. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    The latest database update allows me to run Kiwi (it was blocked with yesterdays database) . however if I do a process scan with Kiwi running I get the following

    Scan Control Dumped @ 17:59:07 07-02-05
    Live trojan found (in process memory): Unknown Trojan
    File: C:\Program Files\Syslogd\Syslogd_Service.exe
    Live trojan found: Unknown Trojan
    File: C:\Program Files\Syslogd\Syslogd_Manager.exe

    Are these false alarms?

    I do hope so
    Tom
     
  10. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Anyone?
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi frogfoot, Gavin is probably doing a deeper analysis and this probably takes a bit longer, hopefully he will reply when his research is complete.

    Thanks. Pilli
     
  12. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    Thanks Pilli, I will look forward to Gavin's input.
    Tom
     
Thread Status:
Not open for further replies.