Keeping Trojans

Occasionally I've gotten Trojans that NOD32 discovers right away. It seems though that my Trojan detectors/scanners don't find them though. I don't know if it is because NOD32 was locking them or if it is because they have been in zipfiles and would have needed to be opened in which case NOD32 would jump into action.

What I was wondering is there any safe way to keep a trojan in a file and somehow "lock' that file so it can't do anything or is it safe in the file as long as you don't open it? I want to do this so I could test my trojan scanners. I thought of quarantine but it seems that usually I've had better luck deleting them, if I remember right it usually doesn't quarantine them when I try. I am not very knowledgeable about trojans so I don't want to experiment with them, just put them in a safe place, run some scans and delete them.

And am I wrong in presuming that if a trojan is in a zip file it is harmless unless you open that file? And then if it is in a zip file will the scanners detect it or does that depend on the scanner?

If this sounds like I want to go get some trojans to try it out that's not the case but I've had them before and presume I'll get them again and would like to have some idea of how my trojan scanners are working. NOD32 seems to be the only thing detecting them so far.

 

You could send them to your trojan scanner maker to ensure they are included if you wish. You could also send them Eset if they are being detected heuristically instead of with a definition. As for keeping them, you could, as long as you don't open them and you are the only person using your computer. Personally though, I see it as playing with fire, sooner or later you end up getting burned. But then, if Nod detected them in the first place, it should detect them even if they are executed accidentally as well,

 

They should be okay in zipped files on your computer. Trojans need to unpack into memory to have an adverse effect on your system. But if anyone else has access to your box, password protect the files.

I keep my collections of malware off my system. Either floppies, CD's/DVD's or Flashdrives maybe worth considering, depending upon the size of your intended collection.

Most AV's/AT's either by default or by tweaking within the program settings, can scan archive files.

If you are considering a trojan collection I would highly recommend a AT Monitor continually scanning memory. So consider running a Real-Time Guard of one of the 'better' AT's together with NOD.

The advantage of installing an extra AT program over your AV scanner is that the Anti-Trojan software is much better in 'cleaning' any trojan off your computer.

However, overall great care is needed with the 'collection' of any malware because as flyrfan111 has already stated, the possibility of being burnt is very high. It only takes one little mistake when playing about with your collection and your system and confidential files could be dust and stolen respectively. Hence, my suggestion of running an AT's RTM together with NOD.

 

If you don't have a secondary, disconnected system to test with, you can use Microsoft Virtual PC to test trojans and other malware.

With Virtual PC, you can set up alternate, totally-isolated Windows installations, and do whatever you want in them, without concern. (Just make sure the virtual environment is not connected to the internet.) Virtual PC lets you create and use "virtual hard drives", and each time you exit a virtual environment, you have the option to discard all changes that took place. You can also easily share folders with your "real" system (a feature that warrants caution).

Just to clarify--I'm not saying that testing malware in Virtual PC is totally risk-free. Instead, it's like an unloaded gun; it's totally safe in one sense, but you still better keep your wits about you.

Virtual PC is also incredibly handy for things other than malware testing. For the most part, though, these are special needs, for people who support multiple operating systems, or who test boot disks and so forth.

I picked up a copy of Virtual PC for under $90 through a reseller at Amazon.com. You can find good prices using Froogle as well.

 

It also depends on what module detected the trojan. If it was IMON's HTTP scanner and you selected to terminate the connection, there was no chance the file could get saved to your disk. Please follow the instructions provided here: https://www.wilderssecurity.com/showthread.php?t=52785 and send a log from HJT to support@nod32.com