Oxon Trojan

Discussion in 'Trojan Defence Suite' started by Six, May 24, 2004.

Thread Status:
Not open for further replies.
  1. Six

    Six Registered Member

    Joined:
    May 24, 2004
    Posts:
    4
    Location:
    USA
    Hi everyone ... I know alot of people hold TDS 3 in high regards so don't jump on me with both feet all at once :D

    I am new to TDS and (Wilders) and have a few concerns about TDS and it's creator's DCL of DCS.

    First off ... does anyone know why Webroot's Spysweeper flags the Trojan "OXON" in TDS-3? and not as a variant or a trace either ... it is an exact match.
    c:\program files\diamond computer systems\tds-3\target.txt
    Oxon is a trojan that allows an unauthorized user to control certain aspects of your computer.


    This isn't a normal .txt file either, if you open notepad and write (127.0.0.1) and save it with the exact name in the exact place as the original it will still create a new target.txt file on TDS restart ... and if it is completely deleted it regenerates the next time TDS is run as well. i am assuming some how it can be used in a manner like the Windows "HOSTS" file is ... which can be very dangerous as it contains the local host internal I.P. (127.0.0.1).

    Secondly ... i have had my Windows host file hijacked several times by DCS RESEARCH and it took me about 3 months to make the connection to Diamond Computer Systems ...To say i am having serious second thoughts about DCS and any of their products is a major understatement.

    Now i know that the Oxon trojan may be a false positive but i have waited for 2 month's and 5 definition updates from Webroot before bringing this up to hopefully rule that option out or at least make it alot more unlikely.

    And maybe DCS Research is someone other than Diamond Computer Systems and it's just a coincidence or maybe it's some bottom feeders trying to sully TDS 3's name ... but i am thinking why take the chance.

    Any ideas or help would be appreciated.
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Hi Six,
    Welcome to the forums.

    Sorry but I'm not sure what you mean by "DCL of DCS" ?

    We weren't aware of this, but only the creators of Spysweeper would be able to tell you why their program is making a false detection - they probably aren't aware of it either, so I'd encourage you to email them the file that's being detected so that they can fix the problem.

    In regards to DCSResearch, we used to own the dcsresearch.com domain and TDS3 used it as a forum link but as we no longer own that domain, TDS3 simply adds a reference to the forums new IP address so that TDS3 users arent confused about dcsresearch.com - something that was actually suggested by our users.

    Best regards,
    Wayne
     
  3. Six

    Six Registered Member

    Joined:
    May 24, 2004
    Posts:
    4
    Location:
    USA
    That is just using your own acronyms ... DCL = Diamond Computer Labs and DCS = Diamond Computer Systems.

    Well personally i don't like my Windows hosts file messed with by anybody or any program especially under the guise of it being for my own good ... That also means i would have to trust that the server the forums are hosted on and anybody with access to that server won't try to access my PC as well...which i do not. Why not have a pop up box ask you first and give you a choice on what you prefer to have done instead of just going ahead and modifying the users host's file? ... or at the very least a box telling them they may notice a change in their host's file and what it's for?

    And if your no longer affiliated with DCSresearch.com or own the domain then do you think possibly some slimeballs may have snagged it up and be up to no good ... using a once trusted site to hijack PC's? ... I know this happened to Spybot SD.

    I will indeed take it up with Webroot and send them a copy of the target.txt file for study so they can correct their definitions ... but that still doesn't explain why it regenerates when deleted and is obviously not just a normal text file as it can't be duplicated in Notepad even if you copy and paste the exact contents from the original, save it with the exact name, and place it in the same exact location as the original.
     
    Last edited: May 24, 2004
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    The hosts file line entry is only added when you install TDS, so feel free to remove it if you like.

    If it's just target.txt that's getting detected as a trojan then that's very weird, because Oxon is an executable trojan so the first two bytes of the file should at least be "MZ" before the rest of the file is scanned for such trojans, but a text file would never start out with "MZ"
     
  5. Six

    Six Registered Member

    Joined:
    May 24, 2004
    Posts:
    4
    Location:
    USA
    Sorry Wayne i was editing my post and you snuck in here on me :D

    I don't beleive it to be the real OXON trojan ... as it would have no practical use in TDS because its basically just a prank trojan and The Cleaner and Trojan Remover don't flag it at all ... but as i said earlier i don't think it's just a simple text file either.

    I don't want to sound overly critical as i have heard nothing but good things about you Wayne and your product TDS ... but i just had to ask ... and i am satisfied enough with your explanation so far to continue doing business with DCS and using your products.

    I think Webroot has their definitions buggered ... yea i know the real OXON isn't a .txt file ... but i am not sure target.txt is just a text file either.
     
  6. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, Six

    Just a thought could be because the Host File is being Protected.

    Have you tried to change it in Safe Mode.

    Take Care,
    TheQuest :cool:

    Edit:- Sorry posted Late.
     
  7. Six

    Six Registered Member

    Joined:
    May 24, 2004
    Posts:
    4
    Location:
    USA
    Hi Quest :D

    Yes my HOST's file is set to read only ... i got tired of all the spyware around the net screwing with it.

    That could explain it ... but i think TDS needs it to run ... it is the local host reference shown in the TDS I.P. target window on startup and i think it did the same thing when the hosts file was unprotected. I actually thought it may be some type of backdoor put their by Wayne for catching people using pirated versions of TDS ... but i really didn't expect to be told that ... that kind of ruins the whole reason for it being there in the first place ... i guess.

    I will give it a go in safe-mode and see what happens.
     
  8. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Open the file in Notepad or Wordpad (or even a hex editor) to check if it's a text file. Even if it's an executable file it won't execute under Notepad as its file contents are just being viewed (not executed), so it's a safe check.

    Target.txt is just a simple text file with usually one line in it (127.0.0.1), which you'll see in the "Target" dropdown listbox in the center of the TDS3 title bar. Modifying target.txt will change what is displayed in that listbox.

    A wise move. The vast majority of trojans/spyware/adware etc never check the attributes of a file before writing to it so it should certainly help to minimise any unwanted host file modifications.

    Best regards,
    Wayne
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there and welcome to the forum!
    You know now you could have spared yourself two months of sleepless nights and worrying if you had come with your questions and investigations here immediately.

    Why if the HOSTS file is set to read-only the one line addition TDS made was possible?
    Only the domainname dcsresearch.com belonged to DiamondCS, there is not any connection to the current domain owner and their business. Visiting that site accidently places a tracking cookie in your system and who knows what else.
    The line is added for your F5 and menu forum option to jump to the right place immediately as that is hardcoded in the program.


    127.0.0.1 is normal in the target window.
    System Analysis > View File > Default Target Host List, this is a normal notepad txt list you can edit by hand. So if you put something else on top or add a frequent portscanner or another IP for test purposes it's all up to you.

    The idea of catching pirated software, explain how would you think that could work with the HOSTS file or the target window?

    No no no, i would like TDS using the speech capacities to say something and close the program.
    How would a security company place secret backdoors while the software is there to detect them and secure your system?
    Not needed either, there are other ways for protecting the product.

    You know what i would like? That the program gives a warning in the main console about the trial time ending in X days so you're just in time to register the product and get the keyfile. Now it's a polite "thank you for trying our software" after which it closes when that time finished.
    It's not even uninstalling itself, nor infecting you with all the nasties from the primaries list if piracy would be detected, nor appearing a big red hot button in the middle of your screen with only connection to the DiamondCS shoppe to register your software, better said: ...... i never heard about successfull TDS piracy.
     
  10. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Just a followup on this one, the reason for the false alarm is that OXON, like a few other trojans, uses a small file to store recently connected IP's. This is done so the CLIENT has a HISTORY, and they are saved to a file as text.

    Since the default client comes with a text file which just includes "127.0.0.1" one can only assume that when someone added detection for this trojan they didn't even look at the file, they just clicked "add detection" for the file. If they HAD looked at it, they would (should) have thought to themselves "I cant add a detection for that file, it does nothing"

    I just received an email about this, so it seems noone has fixed the problem. I've asked the customer to also contact the vendor about this, since it really is a simple oversight and should be corrected immediately
     
  11. Moore

    Moore Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    82
    Location:
    land of ?z
    I had this too with Spysweeper, it was a false detction , got rid of Spysweeper. :p
     
  12. poogimmal

    poogimmal Registered Member

    Joined:
    May 7, 2004
    Posts:
    79
    I got a registered copy of webroot spysweeper a few weeks ago, and I have registered TDS3 on this this box and I have scanned several times with spysweeper and it doesn't find any "alerted files" in TDS3. (o_O) so you need to look a little deeper than just sending a msg to webroot about a false/positive since it would seem you have something else or I would be seeing it here.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you both have all scanoptions checked and the worm slider all to the right for highest sensitivity and looking in NTFS ADS streams, everything, all partitions and logical drives on your system?
     
  14. Moore

    Moore Registered Member

    Joined:
    Mar 14, 2004
    Posts:
    82
    Location:
    land of ?z
    I didnt have TDS installed when it happened to me.. I was just testing out Spysweeper for the first time back in 2002 and all it picked up was a text file.

    I just thought it was funny at the time , but I might give it another try and see what happens ..:p
     
Thread Status:
Not open for further replies.