New Trojan Test

Discussion in 'other anti-trojan software' started by StevieO, Sep 21, 2005.

Thread Status:
Not open for further replies.
  1. poll2

    poll2 Guest

    This might be slightly overstating it.

    In my opinion, if you think you need virus or trojan scanning on an application you downloaded because you suspect it might contain malware, you shouldn't have installed/executed it in the first place.

    What's the difference between this argument and the one you are making? The only difference is the method used.
     
  2. frenchfries

    frenchfries Guest

    Using a simple execution blocker, which does nothing more than alerting you if you execute an (unknown) application, is a bit rediculous, imho. I mean, you double-click something, and your exec blocker says 'hey, you just double-clicked something'... thank you, great information...
    That is a bit like always driving with a speed limiter, instead of driving at the allowed speed by yourself. I don't see any real benefit in it...

    Thorough system firewalls (with injection blocking etc.), AV programms, network firewalls etc. is a whole different story, as they can give you something, that you can't get that easily by yourself.
     
  3. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I don't know what application you're talking about, because Process Guard certainly doesn't do this.
     
  4. burgers

    burgers Guest

    Sure it does. It's one among several functions though.

    Of course all these exe blockers might become useful , if say you are surfing along happily and some guy hits you with some exploit that is totally new, and causing the download and more importantly execution of this new process.

    Those exe blockers will then pounce!
     
  5. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yes, I know (I use it). :) What I meant is that if it only worked like that, it sure wouldn't have been very useful (and sure I wouldn't have used it).
     
  6. burgers

    burgers Guest

    Of course, there's a whitelist and learning modes But otherwise I don't know why you object to that description...........
     
  7. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    That's right... there's whitelist and learning modes... and it recognizes the hashes of the executables so you can choose to be prompted again only if they change; this alone (not including the many various other features, i.e. protecting applications from reading/termination, protecting physical memory, blocking global hooks, etc) means it's TOTALLY different from a silly "are you sure prompt".
     
  8. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,


    *Rmus, just to cross over the Atlantic again to clarify my point of view ;) .
    I don't discuss about real trojans protection: in this case, a white list protection (as AntiMalware, AntiExecutable etc) is certainly one the most effective to deploy.
    Th subject is TrojanDemo.
    This file is a test demonstration tool.
    It's not a leaktest because it was not designed to bypass a firewall (by dll injection etc).
    A test/proof-of-concept/malware demonstration tool is intended to illustrate "in vivo" some features, abilities, theories, exploits, methods and so on.
    In our case, TrojanDemo demonstrates how some data can be stolen or exfiltrated from an user local host to the Trustware remote server.

    Therefore, since this is a test tool, it 's a piece of nonsens to block the .exe!
    If i want to audit my firewall with a leaktest like Ghost, should i block the executable?
    -By blocking the .exe, the user just demonstrates the efficiency of his execution protection (HIPS etc);
    -by blocking connections attempts with the firewall, the user just demonstrates the well functioning of his firewall.
    Nothing else.

    The primary interest of TrojanDemo is its ability to record usr's documents, to create a SPY.TXT file and to report the document to Trustware servers.
    Then a result like this one http://idata.over-blog.com/0/03/91/26/abtrupro/softclan/softclan4/vstrojandemo250.jpg
    is much more interesting for me.
    But as usual, each user his own point of view.

    But i'm not sure that this "marketing" tool (marketing like Regtest, KeyHook etc) could be effective as a real malware/attack.
    For a data theft, the most efective methods are SQL injection (on MST SQL servers), XSS/Cross-site-scripting, java exploit, or a Man-In-The-Middle: none AV/AT/HIPS listed on this forum will be able to detect such attacks.

    *TopLoader, Trust-no-exe (the same product as Exe-Vaccine without passwoard protection) is an executable filter: then if the user keeps rules (white/access list) by default (windows and Program files folders), and if TrojanDemo is run from one of this folder, the executable won't be blocked.
    Since it is an .Exe filter, the rules must be composed of .Exe , and not by folders (logical)!

    Regards
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,989
    Location:
    California
    Hi kareldjag,

    Point conceded!

    Does it count that when I allowed the test to run, that my firewall blocked the outbound attempt tosend the document to Trustware servers? :D

    Hope your trip to Spain was lots of fun.

    regards,

    -rich
     
    Last edited: Sep 26, 2005
  10. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    Yes they do, believe it or not.

    Sadly not all of them do, but they do run these tests to see if their security programs can catch it.
    These 2 'useless' tests take 10 minutes tops to analyze.

    Your the one calling people noobs, so you tell me. ?


    Experts know better yes, because they should analyze the file themselfes before scanning them with an AV.


    No, it's simply my view on this. If you can't respect that, so be it - I think it bothers you more than it does me.
     
  11. Pollmaster

    Pollmaster Guest

    I expect less time actually. That's why it's so useless.
    But 10 minutes can be the difference between someone getting infected by something that should have being analysed instead of time spent on harmless stuff.

    Sure you can have any view you want. Even a wrong one. That doesn't borther me the least. And as i predicted , you don't have any good reasons to support your view.
     
  12. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    Oh your one of them who want's an update everyone second. Well good luck with that...
     
  13. Pollmaster

    Pollmaster Guest

    Someone needs a lesson on logic badly.
     
  14. MichelB

    MichelB Guest

    To me, that implies no knowledge of the program or security. I've only been using it for a couple of weeks, and its GREAT. Want an example ? ok ;-)

    What happens when you execute game.exe and it is a self extractor or a trojandropper ? It puts svch0st.exe (trojan) and game.exe in the TEMP folder and runs both? Without a EXE protector you wouldnt know crap. Your game.exe is running and away you go.. have fun ;-)

    Task Manager just shows game.exe running, maybe you miss the svch0st.exe. Or svch0st.exe is named svchost.exe so you can't kill it in Task Manager, thats even if you can guess which one was the bad one. Task Manager doesn't even show me the path of the file.

    Even better ? svchost.exe is a DLL injector trojan and is now inside a trusted process ? even PG free blocks that. What if svchost.exe was a rootkit? well you could just buy PG like me :D but the free version or any exe blocker told you it had put those files in the temp folder and run them.
     
  15. Concerned

    Concerned Guest

    I tried the disable antivirus test. ProcessGuard asked if I want to block it. To test i let it run and it did disnable Norton antivirus. Where does that leave me?
     
  16. Rivalen

    Rivalen Registered Member

    Joined:
    Oct 18, 2005
    Posts:
    413
    Couldnt help myself.

    Bufferzone test: All downloaded and run from within the DW Sandbox.

    AntivirusDisable.exe; ProcessGuard alerted - permit - nothing happened - is that a passed test?

    TrojanDemo1test; PG alerted-permit-PG alerted for something else - permit -
    calculator starts in DW box - window confirms test fails - OP component control at the same instent warns that trojdemo "one or more components are changed" do you want to allow? So I suppose its a passed test.

    After that I pressed the button for the third test several times - nothing happened.

    How do I get rid of these exe-files - just delete them?

    Best Regards
     
  17. hypersteroid2ooo

    hypersteroid2ooo Registered Member

    Joined:
    Dec 16, 2005
    Posts:
    3
    Hi every one, Probably after I post this message I will get busted from many of the securities products fans.

    initially a couple month ago I test all the securities product fire walls, anti virusses and the hardest one are anti trojan

    there are there trojan sites that I used. before I test these security products I deliberately open my self, barely without any security system

    backdoor trojan ~snip~ only a couple of firewall product that pasa and report an outgoing activity kerio, zone, look( perfect) visnetic Outpost(perfect). the remaining product like sygate is only a hoax commercial program whereas tiny is completelyy tiny and unable to perform a big job corectly

    down loadr: ~Edit: Links removed to conform to TOS.
    Please do not post links to trojans, virus or other malware....Bubba
    ~ """spy sherif infection""" on your desktop will appear a filei.e. ibm

    these are the hardest test the only AV product that pass the test only kaspersky and NOD32(even detect the tracking cookies file)


    from the AT product trojan hunter is being hunted by the accute spy detective file. only a squared can detect and remove a apart of the trojan files. I havent completed the test so these all I can said
     
    Last edited by a moderator: Dec 18, 2005
  18. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    hypersteroid2ooo,

    Please do not link to possible malware sites here. It is a TOS violation.



    snowbound
     
  19. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    7,224
    Location:
    Hawaii
    I looked but couldn't find where anyone who uses DrWeb tried this test, so I did. DrWeb blocked the download quicker than the blink of an eye. ZZZZZZZZap!!!
     
  20. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    @ StevieO,

    Your post was removed given the fact you posted the same links commented to above by Snowbound concerning TOS violation.

    It matters not that you made the links unclickable.
     
  21. Firefighter

    Firefighter Registered Member

    Joined:
    Oct 28, 2002
    Posts:
    1,670
    Location:
    Finland
    o_O o_O o_O

    Cool! :cool:

    :rolleyes: :rolleyes: :rolleyes:

    Best regards,
    Firefighter!
     
  22. EASTER.2010

    EASTER.2010 Guest

  23. muf

    muf Registered Member

    Joined:
    Dec 30, 2003
    Posts:
    926
    Location:
    Manchester, England
    Very interesting read. Thanks.

    It appears it would try to disable three of my resident security apps. There are still a few i use that are not in it's list. Still, it's pretty scarey.

    muf
     
  24. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Yes, the morgud test is quite scary, BUT executing it in something like Sandboxie shows that it basically can't do MUCH when it's sandboxed; when I execute it in Sandboxie + Process Guard full is active + Core Force is active (and set up properly), it basically can't do anything at all and can be flushed without any problems. :)
     
  25. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi,

    This is a very good and comprehensive test, the likes of which i've rarely seen anywhere ! We had a full shake down of this test before though, and you can see the results etc in this thread.

    New security test: DFK Threat Simulator (DFKTS)

    https://www.wilderssecurity.com/showthread.php?t=103492

    I think that you will find it very interesting as i did.


    StevieO
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.