New Trojan Test

Discussion in 'other anti-trojan software' started by StevieO, Sep 21, 2005.

Thread Status:
Not open for further replies.
  1. poll2

    poll2 Guest

    This might be slightly overstating it.

    In my opinion, if you think you need virus or trojan scanning on an application you downloaded because you suspect it might contain malware, you shouldn't have installed/executed it in the first place.

    What's the difference between this argument and the one you are making? The only difference is the method used.
  2. frenchfries

    frenchfries Guest

    Using a simple execution blocker, which does nothing more than alerting you if you execute an (unknown) application, is a bit rediculous, imho. I mean, you double-click something, and your exec blocker says 'hey, you just double-clicked something'... thank you, great information...
    That is a bit like always driving with a speed limiter, instead of driving at the allowed speed by yourself. I don't see any real benefit in it...

    Thorough system firewalls (with injection blocking etc.), AV programms, network firewalls etc. is a whole different story, as they can give you something, that you can't get that easily by yourself.
  3. TNT

    TNT Registered Member

    Sep 4, 2005
    I don't know what application you're talking about, because Process Guard certainly doesn't do this.
  4. burgers

    burgers Guest

    Sure it does. It's one among several functions though.

    Of course all these exe blockers might become useful , if say you are surfing along happily and some guy hits you with some exploit that is totally new, and causing the download and more importantly execution of this new process.

    Those exe blockers will then pounce!
  5. TNT

    TNT Registered Member

    Sep 4, 2005
    Yes, I know (I use it). :) What I meant is that if it only worked like that, it sure wouldn't have been very useful (and sure I wouldn't have used it).
  6. burgers

    burgers Guest

    Of course, there's a whitelist and learning modes But otherwise I don't know why you object to that description...........
  7. TNT

    TNT Registered Member

    Sep 4, 2005
    That's right... there's whitelist and learning modes... and it recognizes the hashes of the executables so you can choose to be prompted again only if they change; this alone (not including the many various other features, i.e. protecting applications from reading/termination, protecting physical memory, blocking global hooks, etc) means it's TOTALLY different from a silly "are you sure prompt".
  8. kareldjag

    kareldjag Registered Member

    Nov 13, 2004

    *Rmus, just to cross over the Atlantic again to clarify my point of view ;) .
    I don't discuss about real trojans protection: in this case, a white list protection (as AntiMalware, AntiExecutable etc) is certainly one the most effective to deploy.
    Th subject is TrojanDemo.
    This file is a test demonstration tool.
    It's not a leaktest because it was not designed to bypass a firewall (by dll injection etc).
    A test/proof-of-concept/malware demonstration tool is intended to illustrate "in vivo" some features, abilities, theories, exploits, methods and so on.
    In our case, TrojanDemo demonstrates how some data can be stolen or exfiltrated from an user local host to the Trustware remote server.

    Therefore, since this is a test tool, it 's a piece of nonsens to block the .exe!
    If i want to audit my firewall with a leaktest like Ghost, should i block the executable?
    -By blocking the .exe, the user just demonstrates the efficiency of his execution protection (HIPS etc);
    -by blocking connections attempts with the firewall, the user just demonstrates the well functioning of his firewall.
    Nothing else.

    The primary interest of TrojanDemo is its ability to record usr's documents, to create a SPY.TXT file and to report the document to Trustware servers.
    Then a result like this one
    is much more interesting for me.
    But as usual, each user his own point of view.

    But i'm not sure that this "marketing" tool (marketing like Regtest, KeyHook etc) could be effective as a real malware/attack.
    For a data theft, the most efective methods are SQL injection (on MST SQL servers), XSS/Cross-site-scripting, java exploit, or a Man-In-The-Middle: none AV/AT/HIPS listed on this forum will be able to detect such attacks.

    *TopLoader, Trust-no-exe (the same product as Exe-Vaccine without passwoard protection) is an executable filter: then if the user keeps rules (white/access list) by default (windows and Program files folders), and if TrojanDemo is run from one of this folder, the executable won't be blocked.
    Since it is an .Exe filter, the rules must be composed of .Exe , and not by folders (logical)!

  9. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    Hi kareldjag,

    Point conceded!

    Does it count that when I allowed the test to run, that my firewall blocked the outbound attempt tosend the document to Trustware servers? :D

    Hope your trip to Spain was lots of fun.


    Last edited: Sep 26, 2005
  10. Brian N

    Brian N Registered Member

    Jul 7, 2005
    Yes they do, believe it or not.

    Sadly not all of them do, but they do run these tests to see if their security programs can catch it.
    These 2 'useless' tests take 10 minutes tops to analyze.

    Your the one calling people noobs, so you tell me. ?

    Experts know better yes, because they should analyze the file themselfes before scanning them with an AV.

    No, it's simply my view on this. If you can't respect that, so be it - I think it bothers you more than it does me.
  11. Pollmaster

    Pollmaster Guest

    I expect less time actually. That's why it's so useless.
    But 10 minutes can be the difference between someone getting infected by something that should have being analysed instead of time spent on harmless stuff.

    Sure you can have any view you want. Even a wrong one. That doesn't borther me the least. And as i predicted , you don't have any good reasons to support your view.
  12. Brian N

    Brian N Registered Member

    Jul 7, 2005
    Oh your one of them who want's an update everyone second. Well good luck with that...
  13. Pollmaster

    Pollmaster Guest

    Someone needs a lesson on logic badly.
  14. MichelB

    MichelB Guest

    To me, that implies no knowledge of the program or security. I've only been using it for a couple of weeks, and its GREAT. Want an example ? ok ;-)

    What happens when you execute game.exe and it is a self extractor or a trojandropper ? It puts svch0st.exe (trojan) and game.exe in the TEMP folder and runs both? Without a EXE protector you wouldnt know crap. Your game.exe is running and away you go.. have fun ;-)

    Task Manager just shows game.exe running, maybe you miss the svch0st.exe. Or svch0st.exe is named svchost.exe so you can't kill it in Task Manager, thats even if you can guess which one was the bad one. Task Manager doesn't even show me the path of the file.

    Even better ? svchost.exe is a DLL injector trojan and is now inside a trusted process ? even PG free blocks that. What if svchost.exe was a rootkit? well you could just buy PG like me :D but the free version or any exe blocker told you it had put those files in the temp folder and run them.
  15. Concerned

    Concerned Guest

    I tried the disable antivirus test. ProcessGuard asked if I want to block it. To test i let it run and it did disnable Norton antivirus. Where does that leave me?
  16. Rivalen

    Rivalen Registered Member

    Oct 18, 2005
    Couldnt help myself.

    Bufferzone test: All downloaded and run from within the DW Sandbox.

    AntivirusDisable.exe; ProcessGuard alerted - permit - nothing happened - is that a passed test?

    TrojanDemo1test; PG alerted-permit-PG alerted for something else - permit -
    calculator starts in DW box - window confirms test fails - OP component control at the same instent warns that trojdemo "one or more components are changed" do you want to allow? So I suppose its a passed test.

    After that I pressed the button for the third test several times - nothing happened.

    How do I get rid of these exe-files - just delete them?

    Best Regards
  17. hypersteroid2ooo

    hypersteroid2ooo Registered Member

    Dec 16, 2005
    Hi every one, Probably after I post this message I will get busted from many of the securities products fans.

    initially a couple month ago I test all the securities product fire walls, anti virusses and the hardest one are anti trojan

    there are there trojan sites that I used. before I test these security products I deliberately open my self, barely without any security system

    backdoor trojan ~snip~ only a couple of firewall product that pasa and report an outgoing activity kerio, zone, look( perfect) visnetic Outpost(perfect). the remaining product like sygate is only a hoax commercial program whereas tiny is completelyy tiny and unable to perform a big job corectly

    down loadr: ~Edit: Links removed to conform to TOS.
    Please do not post links to trojans, virus or other malware....Bubba
    ~ """spy sherif infection""" on your desktop will appear a filei.e. ibm

    these are the hardest test the only AV product that pass the test only kaspersky and NOD32(even detect the tracking cookies file)

    from the AT product trojan hunter is being hunted by the accute spy detective file. only a squared can detect and remove a apart of the trojan files. I havent completed the test so these all I can said
    Last edited by a moderator: Dec 18, 2005
  18. snowbound

    snowbound Retired Moderator

    Feb 18, 2003
    The Big Smoke

    Please do not link to possible malware sites here. It is a TOS violation.

  19. bellgamin

    bellgamin Very Frequent Poster

    Aug 1, 2002
    I looked but couldn't find where anyone who uses DrWeb tried this test, so I did. DrWeb blocked the download quicker than the blink of an eye. ZZZZZZZZap!!!
  20. Bubba

    Bubba Updates Team

    Apr 15, 2002
    @ StevieO,

    Your post was removed given the fact you posted the same links commented to above by Snowbound concerning TOS violation.

    It matters not that you made the links unclickable.
  21. Firefighter

    Firefighter Registered Member

    Oct 28, 2002
    o_O o_O o_O

    Cool! :cool:

    :rolleyes: :rolleyes: :rolleyes:

    Best regards,
  22. EASTER.2010

    EASTER.2010 Guest

  23. muf

    muf Registered Member

    Dec 30, 2003
    Manchester, England
    Very interesting read. Thanks.

    It appears it would try to disable three of my resident security apps. There are still a few i use that are not in it's list. Still, it's pretty scarey.

  24. TNT

    TNT Registered Member

    Sep 4, 2005
    Yes, the morgud test is quite scary, BUT executing it in something like Sandboxie shows that it basically can't do MUCH when it's sandboxed; when I execute it in Sandboxie + Process Guard full is active + Core Force is active (and set up properly), it basically can't do anything at all and can be flushed without any problems. :)
  25. StevieO

    StevieO Registered Member

    Feb 2, 2006

    This is a very good and comprehensive test, the likes of which i've rarely seen anywhere ! We had a full shake down of this test before though, and you can see the results etc in this thread.

    New security test: DFK Threat Simulator (DFKTS)

    I think that you will find it very interesting as i did.

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.