New trojan methods to beat your security.

Discussion in 'other anti-trojan software' started by muf, Nov 12, 2004.

Thread Status:
Not open for further replies.
  1. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    I see an increase in the number of people that jump ship from the Anti-Trojan they use just because some new breed of trojan gets past it's defence. Over the last 12 months i see plenty of posts where people say "My Anti-Trojan didn't detect this Trojan, but some other Anti-Trojan did". Then they make declaration's like "I got rid of my current Anti-Trojan and bought another one because it detects a certain Trojan". Most of these people don't realise that the trojan writers write trojans to get past existing Anti-Trojan's. They have probably got copies(from Warez sites) of all the popular Anti-Trojan's. Do you think they will create a trojan in the hope it can get past your Anti-Trojan? Or do you think they will create one, test it on the popular Anti-Trojan's and once they have it perfected so it gets past the Anti-Trojan's then they release it on the net?

    People have to realise that no matter what Anti-Trojan they use, there will be a new trojan using new techniques that will get past their Anti-Trojan. So this is then the opportunity for the Anti-Trojan author's to analyse the trojan and modify their Anti-Trojan so that it can detect and remove this new threat. What is happening is that people are not giving the Anti-Trojan author's the opportunity to address these shortcomings in their application. I mean come on people, do you think that every Anti-Trojan will be able to detect a new generation of trojans that use new technique's? If you do then you are a fool. I will give a perfect example of what i am referring to. Take a look here and you will see an example of a misinformed individual called DeepRest.
    http://forum.misec.net/board/TrojanHunter;action=display;num=1100065758
    Randy Bell says in that thread "Good Luck with your Ewido". What i think he should be saying is "Good luck with your current Anti-Trojan, until it comes up against something it can't detect. Then good luck with the new Anti-Trojan you will swap to". I'm not surprised Magnus closed down that thread. The poster is obviously misinformed and hasn't got a clue how these things work. That guy/gal will most likely be swapping products over and over in the next 12 months if that's how they gauge which product they will use! I bet they are the same type that swap lanes constantly while driving thinking they are getting to their destination so much quicker than everyone else!!!

    muf
     
    Last edited: Nov 12, 2004
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    If your AT is responsive and adapts to the new threat quickly, there is no need to keep changing.

    Failing that there's always ProcessGuard.
     
  3. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Good points Topper. Sending samples to your AT/AV company of choice is important, and this definitely underscores the importance of getting a behavior blocker of some sort, if you're worried about it. There will always be something that can get past your defenses.

    edit: weird, my NOD32 must be acting up, when I looked at this thread this morning it said the original post was by TopperID.. so good points by both! lol
     
    Last edited: Nov 12, 2004
  4. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Actually, if you read what was written more carefully, it wasn't just about detection of a new trojan, as you claim. That poster gave several reasons for choosing Ewido over TrojanHunter:

    My guess is that you are a TrojanHunter user who is simply having a typical "Oh mahgosh! Someone is criticizing my choice of software!" knee-jerk reaction.
     
  5. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Actually, you are right about me being a TrojanHunter user. You are also very very wrong about this being a 'knee jerk reaction'. I only use it for on-demand purposes probably every couple of weeks which hardly qualifies it as an essential application on my system. So i do not really give two hoots if someone wants to criticise TrojanHunter or not. My main Anti-Trojan is BOClean which is what i run resident 24/7. BOClean is also something i'm not bothered about people criticising. I have given a simple honest observation that people jump ship way too quick once they find out that something got past their security application. I have been using both these application's for a while now. I accept they are not perfect. Nothing is. But i don't stand up and scream "Oh my god it missed a nasty, must find another application." I wait to see what is done about it. This is the point i'm making. And tbh, i wasn't one bit surprised that someone posted on this thread that they thought i was upset that someone had deserted one of my application's. That's the real knee jerk reaction "Oh mahgosh! Someone is criticizing my choice of software!". That's the easy answer isn't it? Rather than just accepting that people are fickle when it comes to loyalty. What ever happened to waiting for an application to fix the problem? Yeah, it's easier to jump ship. But in no time at all they'll jump back. Then they'll jump again...
     
  6. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    When you are trialing software, loyalty doesn't figure in. And you can't "jump ship" if you never even bought a ticket.

    But I do agree that people seem to be fickle at times. So I do take your point.
     
  7. mercurie

    mercurie A Friendly Creature

    Joined:
    Nov 28, 2003
    Posts:
    2,442
    Location:
    Sky over the Wilders Forest
    Fellow Creatures,
    Good security products are like smart learning children in many ways. An occassional failure is a chance to improve and learn, (make a better product or adjust a proceedure, like updating speed and product releases). They can get better and improve. However, a child that consistantly fails and does not change course after failures is a problem. Of course children unlike software do not get dumped. I do want to make that clear. But I think you get my point. Do not be to quick to throw away (money) product because of a rare miss. Nothing is perfect! Nothing! ;)
     
    Last edited: Nov 12, 2004
  8. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I don't see anyone arguing with that here.
     
    Last edited: Nov 12, 2004
  9. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I usually don't switch my security software very often. In general, I take a very long look at security products....sometimes several months to a year and I try to determine the direction they are going.

    I usually look at how fast they respond to threats and just how responsive they are to their customers in solving different situations.

    Even though, I don't understand everything, I do a lot of reading on what future threats might be. Sometimes, I find potential areas of weakness in one particular product I am using. If I find a weakness, I don't dump the product but I go find another product that can cover that area of weakness.

    I don't like getting a bunch of products that all do the same thing well but try to find ones that compliment one another...one products strenght covering anothers weakness.


    Starrob
     
  10. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Evaluating security software is very hard for the end user. Vendors lie, mislead, and exaggerate. Tests do the same thing. Users do the same thing. It becomes impossible to know who is telling the truth, what the real threats are, and where your time and money is best spent.

    And of course, there is more to consider than just detection capability. If a product bogs your system down to the point you can't stand it, you have to weigh that in consideration.
     
  11. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I believe it is hard for most users to tell the difference. It really takes a lot of reading to learn just a little bit of what to look for in a security product.

    When it comes to testing Anti-Trojans, I have found only one website that gives me a really good guide on how to evaluate a AT. That is Nautilus website. He is the only one that I know of that does independent testing of AT's without a lot of bias.

    I once asked in some thread if someone could suggest other places that did independent testing of AT's without bias and no one answered. Without people to give unbiased evaluations most users would be stumped and resort to things like asking in forums which is the best AT to use.....which is the equivalent on going into Yahoo stock forums and asking people whether it is good to buy a particular stock or not.



    Starrob


     
  12. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    he is working on making A2 a better product I heard...

    we'll see
     
  13. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    The same Nautilus who reported that BOClean could not detect the Flux trojan, when in fact, it could?
     
  14. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I guess
     
  15. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    Which is why I asked for where people could find unbiased information. Nautilus misses sometimes but a majority of time he is correct. I don't just read Nautilus. I read every security forum I can find, including the blackhat sites which I find very interesting sometimes. It is interesting to see which products the script kiddies have the toughest time against and those products weaknesses.. Generally, if one does enough reading, you can begin to determine which product is best for a particular system. The problem is that it takes a lot of reading.


    Starrob


     
  16. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    you are correct Starrob, Nautilus his site has very very valuable information for a lot of things. the tests he made are respectable I believe.

    quote: The problem is that it takes a lot of reading.

    and a lot of understanding lol
     
  17. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Oh give me a break. You don't find it odd that Nautilus posted a thread about how all the ATs failed at Flux handling, and then--magically!--A2 was suddenly touted as the only product capable of handling it completely? And how the claim was that BOClean was useless to detect it, until I pointed out that it did? (Which was followed by a grudging admission that yes, in fact, that was the case.) And, now he's "working on making A2 a better product"? You can't be involved with a project and be unbiased. It just doesn't happen.
     
  18. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    that is why I said it-not all will turn into gold; never and never will...

    except with heinz ketchup I believe, if you eat/drink 10 liters of it, you will .... a gold color thing.
     
  19. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    now....don't you go buying all that ketchup!!!!

    :D
     
  20. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    @INFINITY
    Nautilus is not working on A2, if you mean that... :eek:


    @nameless
    Someone (Nautilus) points out a flaw in current AT's mem scanners, which are partly not able to detect a popular trojan in memory (date: Oct 17, 2004).
    Some other guy, who is an AT developer (Andreas Haak), realizes this, sees his chance to probably 'be the first' and releases a few weeks later a tool, which is able to handle this trojan (date: Nov 6, 2004).
    What is so odd about that...? o_O

    Where did Nautilus admit, that he was wrong?

    Can you in some way "back up" your statement, that Nautilus was wrong? Have you tested it yourself?
    I am asking, because in my own tests from last week BO was _not_ able to detect a compressed Flux trojan at all, while it at least detected the loader file of an uncompressed Flux (but it didn't stop the trojan's process).
    So even one month after Nautilus posting about Flux, BO is not able to reliably detect Flux in memory (at least on my test machine - if necessary, I will redo the test with other Flux configurations). :doubt:
     
  21. --ntl--

    --ntl-- Guest

    Hiho,

    Perth is a great city. Went scuba diving @ Rottnest Island & surfing @ Lancelin Beach. Will fly to Ningaloo soon and hopefully see some manta rays.

    As regards my completely biased and inaccurate tests/comments: A couple of weaks ago I sent an e-mail to Kevin and exactly explained what BOC detects and what it does not detect. (Basically, at that time the loader was sometimes detected provided that BOC was quick enough. The actual trojan was not detected at all.) After my return, I will explain it to you in more detail. Have fun and don't forget that there is a real life, too.

    Cheers, Nautilus
     
  22. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi,

    I am trying to keep up with the Flux detection situation. Does anyone have a list of the ATs that detect and remove. The best that I understand it at this time is that the a2 Flux scanner does this. How about the scanners? Thanks.

    Rich
     
  23. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    I don't believe anyone is perfect but Nautilus is the closest to being unbiased on this subject of AT testing as I can find. He also puts out great knowledge about Trojans and Trojan detection.

    There are very few places on the internet that discuss things like Rebasing, Hex-editing, DLL injection, rootkits, etc... except maybe for some blackhat sites. Most developers are usually reluctant to discuss such things and often give evasive or quick answers that don't tell you much.

    Nautilus discusses all of these things in one place and for that I appreciate him. One reason, I think he is correct on most things is that few developers will challenge the results of his tests.

    I suggest that maybe the developer of BoClean be directed to this thread and hear his response to Nautilus tests of Flux against BoClean. That would maybe bring better answers.



    Starrob
     
  24. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    True enough....I am on vacation visiting my girlfriend in Indonesia but I stilll come here and post because I love thinking about this security stuff sometimes....but back to my real life...there are things to do and places to see.

    If you really like diving you should go to Lombok, Indonesia but be prepared because it is very isolated there....good diving but not much of a night life scene.



    Starrob



     
  25. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    I very much regret mentioning it,

    [MOVE]don't want to be a trouble maker and with no proof I need to shut my mouth.[/MOVE]

    I forgotten I guess. will be off for a certain time,
    rethink certain thinks...

    sorry, inf.
     
Thread Status:
Not open for further replies.