New trojan methods to beat your security.

I don't know why the developer of BOClean has to answer all the crap that emanates from Nautilus, but if you want the answer read here:
http://www.dslreports.com/forum/remark,11826147~mode=flat~start=20#11857515

 

Thank you John, for posting the link. It confirms what i as a longtime BOClean costumer already suspected.

 

I will answer here ( http://boardadmin.bo.funpic.de/viewtopic.php?p=114#114 ) to Kevin's "interesting" statement ... after my return from Oz.

Have fun, Nautilus

 

As for me, I don't know who to believe but discussions like this help me to learn new things and make better choices of which product to use. I will be interested in reading Nautilus eventual response and any other response that will come forth from BoClean.

Ok....I got to go out and party tonight....Everyone take care

Starrob

 

I have answered in the meantime ...

http://boardadmin.bo.funpic.de/viewtopic.php?t=51

 

Interesting....

 

I can only but fully agree.

 

No offense to any of the parties involved, but I fail to see why exactly this reply by nautilus was so interesting... interesting because of how lengthy it was?

But in all seriousness I respect both sides very much, though my opinion of them is probably meaningless

In the thread about Flux detection https://www.wilderssecurity.com/showthread.php?t=53418 we have already seen that a majority of AT scanners have a problem detecting or removing Flux in on access/on demand situations.

Quote from Andreas Haak

Quote from fish25

Quote from AJohn about his experience in testing TR against Flux

Quote from AJohn about his experience in testing TH against Flux

Many people from that thread are also now participating in this thread, yet you still seem to be missing the point.

For whatever reason BOClean was "called out" (maybe from the concern of BOClean users after reading the previous thread and the one at DSLR?). Kevin then responded and now you see all of this. It seems like a good majority of AT software have trouble (in one regards) in detecting/removing Flux. And the AT developers involved are probably looking closely into resolving this type of threat in a stable and reliable manner. What more can you ask for? This example of Flux is no indicator of how good/bad a scanner is. If anything it is an example of a collective problem that a majority of AT scanners face. And that is more clearly seen in Nautilus' Flux analysis thread rather than anything that he really stated in this reply to Kevin.

 

Openness, honesty, and timeliness. Things that seem to be anathema to the anti-malware industry as a whole.

Sure it is. The "good" ones won't need a complete rewrite to handle it, with a several-month delay in between.

 

aren't you just the smartest one on Wilders? I think you are. really keep it up like that, maybe one day you could make your own movie.

every day I learn, every day I try to learn a bit more, what ever it is regarding this crap. and I do applaud for people writing large comments, trying do an effort to explain things

you are glad they are working on it...wouldn't you be just a little more glad if they could fix this? but hell, they are working on it...not enough if you ask me. it is not very much on the wild this little fluxie but what if it was...you sure would they worked just a little bit harder so you could be protected, right? I wonder if you couldn't get updates for a week or so but the support tells you: hey, at least we are working on it

anyway...

have a nice eve

 

I consider nautilus response interesting because I got to learn something new. I am always in search of learning new things and I found many new things in all of these threads. The new things that I learn help me decide what software that I would like on my computer. It helps me to know about what standards to look for.

I am also not certain that BoClean was specially called out. I just saw it as there were some people that insisted that Flux was detected by BoClean and others that doubted Flux was detected by BoClean. It appears that the truth lies somewhere in between. It seems that BoClean detects Flux in most cases and other cases it has trouble (at the time BoClean was tested of course...maybe today the situation is different and BoClean might be able to detect in all cases but who really knows?)

As for me, I don't call out BoClean especially...I call out all of the AV and AT scanners out for not trying to innovate and do things to try to protect against future threats. I feel some companies have been lazy leaving holes in their product that could cause it to be easily defeated by someone knowledgable. This includes Microsoft.

I travel a few blackhat boards and my impression is that if someone like Nautilus can figure out the weaknesses of these products than many others can too. Right now, I know where I can buy Private Trojans from anywhere from $50 to $500. How do they make their trojans undetectable? By performing some of the same type of analysis that Nautilus does.

One Trojan author makes his Trojans undetectable by altering it so it can be undetectable by just 3 scanners. This trojan author claims that simply by making a trojan undetectable to 2 specific major AV scanners and one specific major AT company that chances are that you will beat all the rest of the scanners. That trojan author appears very confident about this. He claims it works in a majority of cases.

That is why I find many my scanner is better than your scanner discussions amusing because it don't matter what scanner you use, private trojans made by this particular Trojan Author are most likely undetectable to everyone's personal favorite scanner just by using this trojan authors method.....or so he claims......Who knows if it is really true? I wish I could expirement to find out whether it is true or not but I only have one computer and I don't want to chance getting it infected. I also don't want to purchase a trojan to find this out either. I have better uses for my money.

It may be impossible to have 100% security but I feel that many AV and AT companies put more into their marketing than they have the actual product.

I will give credit to DCS, though, for ProcessGuard which was and is a attempt to deal with both present and future threats in a innovative way. Some may disagree with that but for me, I feel I have a tool in ProcessGuard that makes me light years more secure than before. I don't worry as much about Dynamic DLL trojans, Rootkits, or Keyloggers because I take time to learn my computer and am learning how to use PG to give me optimum protection..

I am looking for companies that can innovate and get ahead of the future threats instead of always being behind. I want to get off of the addiction of downloadiing the newest update to fend off the newest threat.

Yeah, I am demanding about what I want but the company that meets my demands gets my business. The ones that get lazy....I will avoid.

I do believe in layered protection so I am still on the lookout for a scanner that is much stronger than the current choices. All of these scanners can improve and I am watching a lot of them. I currently watching developments with TDS-4, BoClean, Ewido, Trojanhunter, and A2. I want to see how they go....I usually evaluate things for a long time.

I also have both KAV and NOD32 on my list. I will continue to evaluate which scanners have the best solution.

I am also looking for something behavioral based. Something like PREVX but better. I hope someone innovates in that area.

Starrob

 

I agree those things are important, but do not really see how any particular vendor in this situation seriously violated these themes. If you were to point fingers at one, you would have to do the same to all of them. And that was my point in my above post and nothing else.

How would that determine a good scanner or not? Scanner A could need a complete rewrite to detect Flux but detect everything else really well, and has detection methods in place for many future threats (hypothetically), but because it needs a complete rewrite for Flux it is a poor scanner. It is impossible for any security developer to predict the latest exploits on the windows platform. And in most cases they are all playing catch up.

So your cleverly placed smiley is suppose to signify that your diss on me is all in good humor? Did I ever say I am not learning? In many other posts I have made clear I am just a beginner and learning as well. And in many situations where I was clearly wrong, I admitted it and made corrections.

Of course I will be glad for a solution, but i do not see the point of pushing it in this manner. Especially if almost all AT parties involved are already aware of the situation.

If you or anyone else has any ideas on how to remove Flux (after it has been loaded into the host program) in a reliable way without compromising system stability, and without using behavior detection methods (like PG or SSM) I am sure there are people who would want to listen. I have faith in the knowledge and abilities of ALL the AT parties mentioned. They analyze trojans everyday, and they are the ones who are best suited to handle the latest threats. Maybe as end users we can limit our own chances of encountering threats like Flux?

Personally I am just glad when I get a reply from support at all , and the choices of security programs I use reflect this. If support told me they can not get updates out to me for a week and provide a reasonable explanation, i feel no urge to push them. You know why? Because there will always be other users who i know will continue to push them. My surfing habits are safe and my Windows computer updated. I even have a non-windows computer as well.

 

nope, but you placed your smiley first (oeps...2-1 for me now... no serious, joking...I felt a little bit attacked, that is true)

now you did it again...2-2 I guess you are right...support is so valuable, one of the most important things to me too.

yes, but still, without processguard I wouldn't feel ( ) this safe. I am looking for linux at the moment to understand it cause I think it would so much better for everyday usage.

but we'll see...have a good evening and sorry I felt myself under attack, while this wasn't supposed too... but you placed your smiley first, I tell you that!!!

Inf.

 

"This example of Flux is no indicator of how good/bad a scanner is."

I agree. Nevertheless it's good that nowadays several scanners can detect this popular trojan.


"Right now, I know where I can buy Private Trojans from anywhere from $50 to $500. How do they make their trojans undetectable? By performing some of the same type of analysis that Nautilus does."

Actually, it's very easy for the author of a trojan to make it undetected. S/he just needs to recompile the source code (using an alternative image base), change a few strings and in most cases the signatures used by AV/AT scanners will not fit anymore.

Nautilus

 

Thank you!

This might be a little difficult, simply because of how challenging it is to determine the direction of where exploits, vulnerablities, and such are heading.

That is a very good way to look at it. Just do not place your expectations too high or you will be setting yourself up for disappointment.

Let me clear my first post up as it obviously appeared misleading.
This part...

was in reference to the above person(s) who thought Nautilus' reply to be interesting. And as you did believe his reply was interesting, it is indeed a reference to you. As you can see I am merely asking why you thought his reply was so interesting. This part...

actually did not have an intended reference. I was merely saying it generally as a joke. And for that reason i included a winkey smiley

And just to be safe... this part

was in reference to Nautilus and Kevin.

Now let us not get into a smiley war... I would actually rather discuss why you think Nautilus' post was so interesting. As that is the only question I directed to you. IMO Nautilus did provide some additional info about Flux (in regards to BOClean) in his reply, but not that much more from when he posted a thread on his analysis of Flux. I think a lot of it was simply points of clarification he wanted to make with Kevin and readers. And while I feel that is important for himself and readers... in the process I think the underlying message seemed to get more and more blurred. The point I feel is what Nautilus said in the very first part in the post above mine.

You have a good evening too! I did not intend to put you under attack like that. I will try to restrain my smiley usage!

 

I do limit my chances. I practice safe surfing but what worries me is the zero day exploit. I worry about the day that I go to some website that I believe is innocent but somehow got compromised by a new exploit or worm...maybe something that Microsoft or Sun or Real or Winamp or Yahoo (Messenger) or any other vendor you can think of that has a vulnerability...a buffer overflow...some way into my computer that allows the download of a trojan like Flux or a worm or a Rootkit.

That is why I have ProcessGuard...for partial protection against that scenario. I also would like something similar to PREVX except more user friendly to augment the protection of PG. Right now, I don't like the phone home concept of PREVX.

As for scanners...I am not a expert but I believe that they can do much better. My real job is as a shipboard engineer. When we are out in the middle of the ocean and something breaks then we just don't sit in the middle of the ocean and radio for help. It is a embarassment to be towed in by a tugboat....the whole engine department would be the laughing stock of the industry. Sometimes we don't have the parts to fix the machines...So what do we do? We innovate....we make the parts if we have to but we keep the damn ship moving. We make sure the engines works and the ship keeps moving.

I don't know all of the moving parts under the hood of these scanners but I do know that some of those moving parts have been revealed to me to be seemingly broken by many different sources....not only Nautilus. What I want to see these companies do is innovate. What I say to the companies is "Your the expert....fix Flux and all the rest of the problems". Don't get towed in by a tugboat because "I can't fix it". If you don't have a tool or a part then make one and get that ship moving.

All I know is if our Engine department could not keep the ship running smoothly then we would be fired. Yes, writing code is complex but so is my job...if I showed people how complex my job is then most would be amazed just as amazed as I am at people who can write code BUT if a coder can't get his ship back to a safe harbor and has their engine dead in the middle of the water and is whining and giving a bunch of excuses then like my job...he gets fired just like I would get fired. I will find someone who can do the job without whining and excuses. I don't want any more marketing at me...I just want results.....just my two cents.....



Starrob

 

I hope that TDS-4 will not simply reiterate the good 'ol signature-based scanning concept but implement certain visionary concepts like behaviour-based heuristics (in connection with port2process mapping) or CreateRemoteThread blocking.

Alternatively, there is still the chance that a2 v2 will be released before the end of the century ;-)

 

Infinity & Starrob. BOClean haters both. All your posts involving BOClean contain smart little indirect remarks that attempt to undermine the product. Sure you don't condemn it 'face on' and say directly that you think it's a load of rubbish and that your own AT of choice Ewido is better. But boy do you say it by skirting the edge of the swamp. I've sat back and viewed you posts while biting my tongue so as not to say anything, but enough is enough. You have some hidden agenda, you try your utmost to bring it's reputation down by homing in on any thread that portrays BOClean as having a vulnerability. I think it's about time you put a stop to it, right now! Seriously, you act like two 14 year old teens out to wind the neighbours up. You may even be 14 year olds! But where i actually used to read your posts and have respect for what you say, this is no longer the case. You have let the rivalry between the said competing products blind you to your once very welcome judgement. Now your posts consist soley of little snide remarks. Crikey, you don't even use it! So why are you constantly posting about BOClean. You dislike it, that's plainly obvious. You enjoy people finding a vulnerability and partake in the threads to add your own 'interesting' - 'very interesting' comments. You milk it for all it's worth. It's disgraceful. I'm very sorry for you, i really am. Enjoy Ewido, i hope it never lets you down or that someone finds a vulnerability. I really hope it is this 'proactive' security that you seek - your 'holy grail' so to speak. In the meantime the rest of us will keep using our products and give the experts who create them the chance to make them better. Thanks for sharing your constructive comments on the good and bad aspects of BOClean. It is appreciated that you have not been vindictive and that would never once feel your comments are shallow and pathetic.

muf

 

I think most of the problem when people discuss different scanners is that they fall in love with their scanner.

I like investing in the stock market. I learned a big lesson about falling in love with stocks in the year 2000. I don't fall in love with stocks.....or scanners.

I simply look to learn and look for the things that provide the best protection for my computer. Many of the faults I point out apply to most or all scanners. Any assumption about my personal preferences are dead wrong because no one on this board personally knows me. I am a very tricky guy.

In real life, I often take opposite sides of the argument in order to learn new things. I learned to do this by studying psychology as a hobby. It was fun for me to argue with Kerry supporters that Bush was good to be President and argue with Bush supporters that Kerry would be better for President. Neither side knew where I really stood just as know one on this board knows where I really stand.

I may say I use a product regularly and may not. I may act like I don't use a particular product and I may. Know one knows the particular security set-up of my computer and anyone that presumes to think so is wrong. I don't like my computer security to be known particularly...makes it slightly harder to get in.

Who knows if I am not already a BoClean user? NO one but me. I continue to say that I don't have a great deal of confidence in ANY scanner. Other people can fall in love with their scanners but I just read too much to fully trust any of them.

I especially like reading in the German forums. They are very interesting in some of those forums like Rokop and Bluemerlin....the only problem is translating them back to English. Sometimes things get lost in translation and people don't fully understand. Which is why I am careful about making assumptions because I am often wrong.


Starrob

 

Most of what is hinted at in TDS-4, I am very interested in looking at, especially the Port to Process mapping.....sounds very innovative. I want to see how effective it is in reality.

As for A2....I really don't know enough about the product.

I only know that it appears that other AT vendors appear to dislike Andreas Haak. I don't fully know the reason behind this because the conflicts appeared to happen before I got interested in computer security. The conflicts appear to be both personal and professional.

In a way, I find that it is unfortunate to have such deep divisions in the AT business but I guess it is the result of various vendors being in a very competitive business. I guess just like anything other business scenario people will stab each other in the back or at least percieve to stab each other in the back. Sometimes, the perception or the imagination overrides the reality, which is why I learned not to take life as seriously. I get less stress that way. I do things like take a vacation to Bali.....I got great pictures...anyone want to see?

I will look at A2 v2 when it comes along, though, because I am one that does not particularly care about personalities or perceptions or imagination but only results.

I will continue to look at other scanners also. I favor no one scanner in particular over another as of yet. I tend to observe things over a long period of time.


Starrob