process-injecting trojans

Discussion in 'Trojan Defence Suite' started by Hipgnosis, Aug 26, 2003.

Thread Status:
Not open for further replies.
  1. Hipgnosis

    Hipgnosis Registered Member

    Joined:
    Aug 26, 2003
    Posts:
    297
    Location:
    Witness Protection Program
    Hello,

    I am shopping around for a trojan detection/removal application.

    I downloaded the trial version of TDS yesterday and liked the ease of use and the many features. I am seriously considering purchasing TDS but before I make a final decision I have a question.

    In my search for an "anti-trojan" application I noticed a claim at the "TrojanHunter" website and wanted to get a TDS perspective on this:

    "This new version of TrojanHunter makes TrojanHunter the only trojan scanner on the market capable of cleaning process-injecting trojans"

    Is this important? Does TDS perform the same or a similar task?

    thanks in advance for your feedback,

    Hipgnosis
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Helo Hipgnosis & welcome, I am not familiar with TH's claimed capabilties :D TDS3 uses over 17 ways of detecting Trojans & has daily updates to it's database.
    With the trial version you will have to get the radius file from here: http://tds.diamondcs.com.au/index.php?page=update and place it in your TDS3 main directory.
    Also the trial version does not include "Execution protection" which is the resident part of TDS3.

    I am sure that DCS will answer your question directly in a few hours as they are based in Perth, Australia and it is the middle of the night there :D

    Some things to consider, A Trojan detection system with many useful scanning & Trojan hunting utilities, regular updates made by a dedicated team, scrpting / command line abilities, free upgrade to TDS4 & support which is second to none

    HTH Pilli
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Hypgnosis,
    Pilli mentioned already some terms, like the tools and scripting -- If you run XP/NT/2000 you can also add the free tools especially for those systems like the very advanced APM to inject yourself into processes, in the scripting to add extra functions (in the Private TDS registered operators only forum people work together on very fine scripts adding functions not thought of on internet as far as i'm informed) etc.
    For the other technical details DCS will add their advices.
    For me, since first install several years ago i never have been without TDS, WormGuard and recently Port Explorer, the three working very fine together on verious levels and each on their own special area.
    TDS is so very strong in detection and protection and keeps us in the drivers seat.
     
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    I was asked this question recently, I believe that quote is BADLY worded. TDS can remove process injecting trojans, anyone can remove an injected DLL. It just doesnt AUTOMATICALLY remove it from the process it was injected into. TDS doesn't rely on techniques that are not yet perfect, it relies on you the user (ok and us, support :D)

    The best way to remove them is from Safe Mode anyway, where the trojan is not live. Also, any DLL trojan uses an EXE (dropper) which can be deleted by TDS - on rebooting, the trojan will not go live again, and the DLL will also be deleted without any fuss.

    Of course the most fun way, you can use APM (freeware) to unload the trojan DLL and then delete it too :)

    However the other point still remains the most important - if the DROPPER is not detected, there is no point detecting the DLL. The user will reboot, the trojan DLL will be back, injected inside whatever process, and will need to be killed again.. and again..
     
  5. Andreas Haak

    Andreas Haak Guest

    >Of course the most fun way, you can use APM (freeware) to unload the trojan DLL and then delete it too

    Not exactly. APM does a simple FreeLibrary inside the remote thread. This works in some cases - but not in all - especially not if you are infected with an DLL injecting backdoor like Beast 2.x for example.

    You can only do a FreeLibrary if a DLL is not used by any thread anymore. So first you have to kill all threads that uses the DLL and THAN you can do a FreeLibrary.
     
  6. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Yes, the present version of APM just invokes FreeLibrary, it doesn't terminate the threads from the DLL yet but this is relatively easy to add and is on the To Do list, but we have other priorities.
     
  7. MEGAFREAK

    MEGAFREAK Registered Member

    Joined:
    Jul 8, 2003
    Posts:
    51
    I also wanted to mention like Andreas Haak that APM has unfortunately no chance actually against the Beast 2.01/2.02 winlogon dll injection trick.

    APM and the whole system starts to freeze in that case this is very irritating!
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    We'll add a removal routine as soon as possible, for now reboot to Safe Mode to ensure removal, or just kill all droppers first and reboot :) DLL wont be loaded, delete

    Remember this is still a better solution than any AV offers for removals. We have been researching this and other (worse) problems for quite some time and want perfect or near perfect clean removal in upcoming TDS products :)
     
Thread Status:
Not open for further replies.