Is TDS-3 SPYWARE? Why does it read "unowned" windows?

I REALLY like TDS-3 Pro and would like to buy it. But the program called "snoopfree" indicates that TDS is spyware. As when I use TDS to scan for trojans, snoopfree alerts me about an "Unowned Window Read". It indicates that TDS is "trying to read text from a window it does not own". And "if you allow this, the program will be able to read sensitive text from any window at any time". (Until I do a restart.)

In other words, it's saying that TDS wants to spy on me, and stick it's nose in everything I'm doing on my computer. My snoopfree log shows that it blocked "foreign text access" to TDS a total of 271 times during a scan I just ran (using TDS to hunt for trojans). But yet TDS still functioned the same as when I DID allow it access. So obviously, the program does not NEED to be able to read my other windows in order to function properly.

Note: The first time you use snoopfree, it will pop up a window to warn you about the spying attempts, and from then on it will just flash the icon in the system tray. Click on the icon and you'll see the log listing the details.

So please, some of you experts who aren't associated with TDS in any way, investigate this and tell me the program has a legitament need to read windows that don't pertain to TDS. Because if it doesn't, then there's no telling what other type of spying TDS is doing that snoopfree doesn't have the ability to detect and stop.

 

Hmm, but TrojanHunter didn't set off the snoopfree alarm, nor did Norton AV, NOD32, PestPatrol, or Spybot. Also, you say that it's "the only way it can examine every file and see if it is infected and fix them if an infected file is found". But the fact is that TDS was able to detect a trojan, even though I denied it read access to my other windows. Which is why I had stated that the program functions normally, regardless of whether I deny it access.

 

Hi Hop A. Long Welcome to the forum.

Like Devinco, I've never used/seen snoopfree is, but trust me, TDS is NOT UNDER ANY CIRCUMSTANCES SPYWARE. [apart from the fact it "looks" at every file when scanning, no different to any other scanner]

It's ability to read/access system files thoroughly and deeply is probably what is triggering this thing off.

If you are in any doubt over TDS 'spying' you only have to do searches on net to read reviews, etc.

Go to any other forum and ask that question and, no disrespect as I understand your concerns if another program is alerting you, but you will be told in no uncertain terms, it is not. TDS is extremely highly regarded in Security Circles all over the net.

Any MOD/ADMIN will vouch for it [as in spyware FREE] on virtually any forum on the net.

Yes, I use and run TDS, no I do not work for DCS, although I and many others in here, virtually have the full array of DCS's tools.

Hope this alleviates any concern you may have.

The fact you said that even denying access and it was still able to detect a trojan, speaks for itself.

Good luck with it if you decide to purchase it.

Cheers, TAS

 

Reading window text is one part of specific signature detection algorithm. By denying access to TDS-3, you are stopping it from working fully. However, there should be no harm if you block TDS-3 from doing this, apart from the fact that it may miss some trojans it would otherwise detect.

 

TDS advanced detection techniques

This is because other scanners don't look at Window objects as a method of detection - it's a detection method virtually exclusive to TDS3, just one of its many advanced detection methods, and we're able to provide you with these extra detection methods because we carefully analyse all files to see exactly what they do. It's like having several extra layers of security in the one scanner - if one detection technique fails to identify a trojan, other techniques should detect it. (This is in stark contrast with other scanners, where if the file scanner fails to detect it then it's game over). Other detection techniques include mutex identification, process memory analysis, registry value traces, and more - not forgetting file detection of course, which has its own array of advanced detection techniques. Hope that helps.

Best regards,
Wayne

 

Ok now you gone and done it Hop Along Cassidy
Since installing the newest anti-keylogger program, I just let it sit there and run. The old version gave warnings and had a on demand scanner. This new version doesn't
If you read thier new statement, you notice it works transparently without alerting the user.
Does this mean when TDS-3 is reading windows text anti-keylogger is disabling that funtion and I am not as protected?

"Anti-keylogger™ works transparently for the user and silently, asking the user no questions thus excluding user's probability of error when making a decision.
Protection against windows text capturing."


Bruce

 

Re: TDS advanced detection techniques

Could you be more specific... exactly how does looking at window objects help in detecting trojans? And on a scale of 1-10, just how significant is this feature in it's ability to detect trojans that your other detection methods could miss? Also, does your program look at JUST the windows that happen to be open at the time of the scan?

In addition, you refer to it as an extra detection method that your competitors don't have--but yet there's no mention of it on your web site. So I was wondering why you've been keeping it a SECRET until now? I'm not trying to tell you how to run your business, but as much competition as you have, doesn't it make sense to list ALL of the benefits of your program? As this would not only give you an edge on your competitors, it would also enable your customers to evaluate your program more thoroughly and thus avoid wasting their time and money on substandard programs.

In other words, when prospective customers are comparing your program with TrojanHunter, they want to know what your program can do that TrojanHunter can't do. And if your program has several additional detection methods that you can make a good case for, then that could make all the difference in the decision they make. It might also avoid getting paranoid people all riled up when they run snoopfree and it alerts on your program.

 

How did you know my last name--did you use javascript to slip me a trojan when I blinked?

The program you're refering to is useless to me, as I want to be alerted when a program is nailed trying to spy on me, so I can uninstall it if I don't fully trust it. As it may have other means of spying at it's disposal, such as a back door that anti-keylogger obviously can't detect, which would allow the programmer to come in at will and prowl around in real time.

 

So are you saying that since TrojanHunter lacks this detection method, it can miss trojans that your program would detect? If so, has your company run any tests to prove this? As it seems like it would be a very quick and simple test to do. Also, what other detection methods does TDS-3 Pro offer that TrojanHunter lacks, that you've also been keeping a secret?

And in reference to your statement "Reading window text is one part of specific signature detection algorithm." I don't understand why your program would need to read windows in order to carry out ANY part of it's signature detection duties. Isn't there ANY other way to do the job without setting off a trojan alarm like snoopfree? As don't you find it ironic that your trojan detection program is doing something that constitutes an "EXTREME PRIVACY RISK", as snoopfree describes it? And is also one of the three major methods used by trojans to spy on people.

I realize that your company is well respected and trusted, but so was Enron before they were nailed. The bottom line is that the way your program is currently set up, "it can read sensitive text from any window at any time". And since a large percentage of people who buy trojan detection programs are 'cautious' by nature, can you see why it might be in your companies best interest to elaborate on this issue on your web site? As 99 out of 100 people won't write you when snoopfree alerts on your program--they'll just uninstall it and buy TrojanHunter.

 

Hopalong

No I used to watch that show as a kid in black and white LOL

I aggree with you on the wanting to be alerted. I was only mentioning it because I don't think it is right to do their thang and not tell you what they are doing. Henc , you don't know if TDS is being crippled or not.
You are making some good points but I am sure you never thought TDS was spying on you. They are standup people and would never stoop to that level
unlike MS and some others.
I have a free lifetime lic from Anti-Keylogger for doing some testing.
Some people think I am good enough to test their software. Symantec, Intuit,
Spybot ect all thought so but some of these DCS people are hard to crack LOL
Now that I found out my health is ok, I will be doing ALOT more testing again.
You can count on that.

Bruce

 

Hmm, maybe also a good idea to read the HelpFile, page : 16 Ways To Smell A RAT.
Scroll down to where is written about "screen objects".
And to read the page : "Screen Objects List".

 

Rats! Unfortunately, it wasn't such a good idea, as neither page pertained to the issue at hand. Which is TDS-3 being able to read the text of any window opened after their program is used, until the next restart. The topic you're refering to involves the use of their "screen objects editor", which allows users to manually force invisible objects to reveal themselves. But thanks anywho.

Cassidy

 

Memory\window objects

Most remote access trojans actually have unique window objects that can be detected by TDS3. By "window objects" this essentially refers to any object in memory that has a handle, including what you would know as normal windows. These are almost always hidden from view so the infected user never sees them, but because of their presence and often static nature they can be used as a very effective method of detecting most trojans. Mutex detection is another similar detection method - many trojans set mutex 'flags' in memory which they use to determine if they're already running (to prevent multiple instances of the trojan from running) ... so if the trojan itself uses a mutex to detect if it's running, it only makes sense to use that also as a detection method along with the other methods.

And yes, TDS3 is the only scanner that offers these two detection techniques.

It's not TDS3's primary detection method but it provides another layer of security; it's a lot harder for trojans to beat a dozen detection methods than one.

All detection techniques are equally important as they all support each other - if one detection technique fails it's quite likely that another technique will work.

Thanks for your other feedback, we'll take it on board.

Best regards,
Wayne

 

Hi all,

If I understand the detection method in question correctly, it goes like this: Suppose you have a trojan author who uses a software development suite that sets up all sorts of things automatically for him. Every program has a window (thinks the suite), so it creates one for the new trojan app - and gives it a window title of "title goes here". Now our trojan author inserts his spying and communication code on the form and finally defines the window as "hidden". Also, he doesn't change the window title, since it's hidden anyway.
Now the trojan scanner comes along and has a look at all windows to see if they're hidden and have a title of "title goes here". If it finds one, that could be a good indicator of the presence of the trojan discussed before. And for this to work, there's no way round reading the windows' captions (and I've been using these just as an example).

Also, AFAIU, this detection is a method of detecting malicious programs already active. Maybe you can also scan window objects in resource sections of files on-disk (don't know), but at least Hop A Long's alert message is about windows of running processes, not windows that would be created if some program xy was actually launched...

(As to how secret this detection method had been kept, I can't comment - and don't want to spend much time researching it.)



But then, there's something about Hop A Long's argument that I don't agree with in general:

Everyone I know in the computer security business agrees about one thing: At one point, you'll have to trust someone. Of course it is okay if my trojan scanner is trying to read out information about what I have running and installed on my system. And that in itself is sensitive information already. Of course it is okay if my trojan scanner reads all the files on my harddisk to see if there are trojans hidden in them - even those excel sheets where I have my banking details and even those dll files where my registration data for other programs I'm using is stored.

Every piece of sensitive information that is stored on your harddisk (and remember that even information you have just in RAM will eventually be swapped to the disk) is going through the application you're using/editing/viewing it in, through the API of your Operating system, through your computer's BIOS, through the hardcoded software inside your harddrive and is stored on your harddrive. Why don't you ask Seagate, AMI, Adaptec, Microsoft about why they need to access sensitive information to do their job?
Or think about it the other way

Or, if you prefer, put it the other way round: Actually what is snoopfree doing? (Not knowing how it's working exactly, I'm guessing a bit, but still...) It hooks into certain functions that your OS offers to the applications running on it, and then it monitors every call of that function? There are possibly sensitive bits of information passed in those calls - is it an EXTREME PRIVACY RISK to have a program sitting there, watching all the information passing by, allowing and occasionally blocking some of it?

So,

that's probably true, but maybe not. Maybe they will uninstall snoopfree for sitting in a sensitive place and not behaving adequately, when it has to mess with the AV/AT-scanner, but instead yelling EXTREME PRIVACY RISK ...from any window, any time, one of the three major methods used by trojans for spying on people!!! (snoopfree wanting to tutor me and my Anti-trojan scanner about trojan methods?)

If all of this were brought forward in a less excited, oversimplifying (sensationalist, dare I say populist?) manner, one could have a reasonable discussion about this and that.
...having said that, I will try to cool down myself as well and see how the discussion will continue.


Cheers,
Andreas

 

Re: Memory\window objects

What's unique about the trojan objects--how does TDS-3 distinguish between them and "normal" objects? If the recent explanation by Andreas regarding this issue is accurate, then why did Jason say "Reading window text is one part of specific signature detection algorithm"? As in this case, signature detection would have nothing to do with the procedure that Andreas described. (Perhaps Jason just has a subconscious desire to appear 'spy-like'.)

Are trojans the only thing that use these mutex 'flags'? If not, how does TDS-3 distinguish between them and other 'flags'?

Are these the ONLY detection methods TDS-3 Pro offers that TrojanHunter lacks? The reason I ask is that I'm trying to compare apples with apples. And according to TrojanHunter's web site, their program offers a critical solution that TDS-3 is lacking:

"The Beast trojan, employing modern stealth techniques actually injects itself into other processes. TrojanHunter is the only scanner capable of cleaning process-injecting trojans." Note the blurb specifies "cleaning" rather than detection--so I assume that TDS-3 can at least DETECT this trojan?

They even have a separate web page devoted to this apparently serious threat, the following of which are quotes from that page:

"The Beast is a relatively new trojan which in recent versions has used more advanced techniques to make itself undetectable from trojan and virus scanners. The latest technique employed makes the trojan parasitic, because it injects its code into other processes running on the system. For this purpose, the trojan uses a DLL file named dxgns.dll."

And:

"Process Injection - A Dangerous New Trend
Recent trojans have begun using process injection to a greater extent. Several factors make this technique dangerous:
* The trojan is not visible in traditional process viewers, including Windows Task Manager
* Most trojan and virus scanners have a very hard time detecting the running trojan code
* The trojan code is very difficult to unload"

Could you please comment in detail on this issue?

How many of your detection methods rely solely on signatures? And if your company does research on competing products, how many detection methods does TrojanHunter use, and what percentage of them rely on just signature detection?

Your welcome--glad to be of assistance. And thanks for not blowing me off like Jason did. I don't know what the deal is with him, but it would appear to a casual observer that he doesn't accept spying accusations very well.

Cordially,
Hopalong

 

Hopalong,
Besides the alert you received from snoopree, do you have any other basis for being skeptical of TDS-3?

 

Hop A. Long , you like to know a lot of details, that is good,
i am curious to know ... is this your hobby or your work?

My 'snoopnothere' tool gave an alert ..on this Thread.
"Yellow ALERT: it might be the competition..."

Regarding Trojans it helps to be a bit Paranoia right?

BTW: This is not a serious question.

 

You can easily disinfect BEAST and any other DLL trojan injectors from Safe Mode. We designed ProcessGuard to PREVENT the injection in the first place, since it only takes fractions of a second to send out your private information if you infected yourself

Whats better, detect after the fact, clean up - or block ALL injections completely. This includes private trojan versions which no scanner can detect. These exist, they are in use every day. Preventing infections completely is obviously much more secure, its the only way to be sure

 

Re: Memory\window objects

yes it would. a signature is a mark by which you can infer the identity of the entity that has produced the mark. As such window objects can bear such marks just as well as files on your harddisk, registry entries or mutexes. What is unique about the trojan objects is their very name - that's why you have to read it out if you don't want to miss the opportunity to maybe infer the identity of a malware program this way.

want me to psychoanalze you, too?

Are trojans the only thing that uses files on your harddisk? that use mutexes? that use window objects? Of course not. Again: That's why you have to read out what the mutex say, what is in the file, what is written on the windows object. To know about the simple presence or not of a mutex as such, of a file as such, of a registry value as as such, of an opened TCP port as such ... DOESN'T HELP, NEVER!

yes it can, and while DCS are still dealing with removal and more sophisticated handling of these things beyond the detection you are mentioning for their next generation TDS, maybe so as not to leave the users without any benefit from that development until it's completed, they are offering a freeware tool by which you can do the cleaning manually yourself.

(BTW, IMHO here your arguments are beginning to go off-topic)

There are threads about the issue on this board. Nobody is denying the importance of injection techniques, and so far, and until TDS-4 will be out, you have the following arsenal of tools at hand:
TDS-3 - still detects most of what you're likely to encounter (IMHO)
ProcessGuard - prevents process injection (AFAIC anything in the wild as of now)
APM - allows you to clean any injections, freeing the way for "traditional" (file/registry) cleaning. (freeware)

Gavin has pointed out additional things to consider.
What else do you expect to be commented? In a thread about TDS being spyware or not?

(Okay, I give it up; thread gone astray for good - or bad.)

Since you are such a thorough researcher (I'm understanding this from your "other thread"), I'm surprised that, as far as I can see, you have not posted such a question on TH's forum. I don't think it's appropriate to ask a vendor about his/her competition the way you're doing, nor would it be appropriate for DCS to answer those questions (at least in the sense you seem to be asking them). (I'm also surprised you're not mentioning another thing, but I will not do it for you, as it doesn't pertain to the question either )

he did? I wasn't aware of that. In fact, I almost meant to, but obviously I wasn't very successful.

you're not serious, are you?

I hope I've not been too harsh, but I fail to understand what you're (still) after,
Andreas

 

Re: Memory\window objects

Wayne? Is that you? Weren't you green the last time I saw your picture? And did you forget to shave for a while?

Okay, thanks for clearing up that part of my spy thread, as I had been given what appeared at the time to be conflicting statements by two different DCS employees. And since I'm overly paranoid, I'm inclined to be suspicious about inconsistencies.

Sure, as long as it doesn't cost me anything.

Umm... I never asked whether "trojans are the only thing that uses files or window objects on your hard disk", I specified mutex 'flags' only. So please don't try to make me appear to be more of an idiot than I really am.

Okay, thanks for clearing this up, as I'm trying to determine whether TDS-3 consists of a lot of unnecessary bells and whistles, or whether TrojanHunter will detect the same percentage of trojans. As I hate to have any unnecessary software on my system.

Sorry, but my area of expertise is not in Internet forums--so I was unaware that straying off the original topic amounted to such an 'evil deed'. My assumption was that DSC is paying this site to host their forum for revenue generating purposes.

So I didn't think any reasonable question pertaining to their anti-trojan program would be out of bounds. And since there are apparently a number of people following this thread, DSC has the opportunity to make a lot more sales than they could if I started a new thread consisting of non-spyware related questions.

But I guess I should clarify my current position on my original spyware topic, as well as declare it DOA at this juncture:

My conclusion is that although TDS-3 utilizes a technique common to malicious trojans, my conspiracy theories regarding this Australian company using their software to spy on American corporations is totally unfounded.

As simple logic dictates that if they were in fact committing industrial espionage, they certainly wouldn't incorporate any features in their program that would set off a trojan alarm like snoopfree. Because the last thing they'd want to do is arouse suspicion that could potentially generate threads in Internet forums which involve the topic of spying. Such as this one for example.

The truth of the matter is that anti-trojan programs that DON'T trigger snoopfree are the ones that you should probably be suspicious of. As the programmers have obviously blown off what's been portrayed as an important trojan detection technique. And if you have a paranoid mind, you have to wonder whether they did that solely to avoid setting off a trojan alarm, in order to deter suspicious people from starting "IS THIS SPYWARE" threads.

Because if a company is marketing anti-trojan software, doesn't it make sense to incorporate EVERY trojan detection technique in the program that's possible? That is, unless they spin some of them off into separate programs, so their customers will have to pay them an exorbitant amount of money in order to get COMPLETE trojan protection.

The reality of course is that they don't need to use ANY of the three major methods that trojans utilize to sneak your files out. As all it takes is a single line of code in a software program to give the programmer a back door into your computer. He can then come and go at will, and sneak data out disguised as Internet browser activity.

And nothing DiamondCS sells can stop this form of spying. And of course, there's no firewall or router on the market that can stop it either. In short, you're at the mercy of every software program on your computer, as any of them could contain a back door that's totally undetectable (unless it's open source and you have a LOT of time on your hands). Which is one reason why I use as few programs as possible on the computer I go online with.

Umm... experience has taught me that you can find out more from competitors.

Everyone is entitled to their opinion--and you know what they say about opinions.

Hmm, it's standard practice for the leader of the greatest nation on earth to flame his opponent on national television every day, but a company can't answer generic questions about a competitor? How did you come to develop such twisted logic?

Ummm... could you maybe give me a hint of what the "thing" is that you're referring to? As my telepathy doesn't function properly over the Internet.

Umm... scroll up a bit, and you'll see that he ignored the following post:

"So are you saying that since TrojanHunter lacks this detection method, it can miss trojans that your program would detect? If so, has your company run any tests to prove this? As it seems like it would be a very quick and simple test to do. Also, what other detection methods does TDS-3 Pro offer that TrojanHunter lacks, that you've also been keeping a secret?

And in reference to your statement "Reading window text is one part of specific signature detection algorithm." I don't understand why your program would need to read windows in order to carry out ANY part of it's signature detection duties. Isn't there ANY other way to do the job without setting off a trojan alarm like snoopfree? As don't you find it ironic that your trojan detection program is doing something that constitutes an "EXTREME PRIVACY RISK", as snoopfree describes it? And is also one of the three major methods used by trojans to spy on people.

I realize that your company is well respected and trusted, but so was Enron before they were nailed. The bottom line is that the way your program is currently set up, "it can read sensitive text from any window at any time". And since a large percentage of people who buy trojan detection programs are 'cautious' by nature, can you see why it might be in your companies best interest to elaborate on this issue on your web site? As 99 out of 100 people won't write you when snoopfree alerts on your program--they'll just uninstall it and buy TrojanHunter."

Ummm... that's not really a serious question is it? Just in case it is, I'll go ahead and answer: Obviously no rational person would expect someone to accept "spying accusations" without being offended to some degree. But I assumed it would be readily apparent that I was just kidding, since I never made any "spying accusations" in the first place. As an accusation is obviously when you accuse a person or entity of spying, i.e. "TDS-3 Is Spyware" instead of merely ASKING "Is TDS-3 Spyware?"

Since your level of anxiety indicates that you may have some degree of ownership in DCS, I will attempt to ease your paranoia:

Not to worry, I'm not a shill hired by one of your competitors! I'm merely an individual who has a tendency to develop obsessions about various things. This month it happens to be computer security, and I'm simply trying to pick the best anti-trojan program for my own personal needs. And when I'm evaluating software that I'm going to rely on for my security, I try not to leave any stones unturned.

After Wayne responded to my initial questions, naturally I had some follow-up questions--that goes without saying. But I waited a few days to see if any "security experts" would dispute or confirm his statements. After your post gave me some of the confirmation I was seeking, I then posted my follow-up questions. So you see, you got all excited over nothing.

As I just want to make sure that I pick the best anti-trojan program. If anything, you should be happy that I've given your program so much scrutiny! Because it will undoubtedly resolve the suspicions of anyone who does a "TDS spyware" search on google, thus generating additional revenue for your company.

BTW, I still haven't made up my mind whether to buy TDS-3, so I'll have some more questions about the program--if that meets with your approval.

 

Nope.

 

You have some very valid points, it's just unfortunate (from the customer's perspective) that you don't incorporate ALL of your trojan detection/protection features into one program.

Also, are you saying that TDS-3 can't detect "private trojan versions"?

 

Hop A Long,
We'll close this thread now as it'ss starting to fall away from the original topic and a lot of people have already spent a lot of time trying to answer your questions.

Clearly as you should understand by now (as everyone else does) TDS-3 is not spyware, and simply because one poorly-known scanner says something doesn't mean anything - false-positives are common these days from scanners with weak signatures and/or detection methods. Feel free to block it from network access. Feel free to packet-sniff the Update utility. Feel free to disassemble and analyse the program. What more can I say?

TDS has been around for some eight years now - only The Cleaner and BOClean are as old. DiamondCS itself was first established in 1986, and TDS3 itself have been available for several years but in all that time we've never had any accusations of anything like that, so I'll let you draw your own conclusions about how reliable the scanner you were using was.

Regards,
Wayne