Somthing to be concerned about?

Discussion in 'other security issues & news' started by 10390bc, Mar 15, 2004.

Thread Status:
Not open for further replies.
  1. 10390bc

    10390bc Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    88
    I recently tried to detect 5 of the latest leak tests w/ Pest Patrol, NAV, TDS-3, Trojan Hunter, & A2 and got very poor results (NAV=none, PP=detected firehole, TDS-3=detected leaktest-but said it wasn't a trojan, TH=detected leaktest, A2=none) I know leak tests aren't real trojans, but shouldn't they all be detected? Is this something we should be concerned about? Thanks.
     
  2. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    IMO there's no real point in anti-trojan apps detecting these well known demo firewall exploits except to serve as a placebo for users who may be concerned because they don't.

    First, these are demo lfirewall leaktests to test firewalls in specific ways; the ones I'm familiar with were not designed to really mimic trojan behaviors (except perhaps for the simpler and "dumber" trojans) for the purpose of testing AT's. Second, they are not malware. Third, detection would simply be based on adding specific signature definitions to detect the demos. Such "hardwired" detection of firewall leaktests that are not malware proves nothing about the ability of the apps to detect real malware. An AT isn't any better at doing its real job by detecting these firewall leaktests and certainly no worse for not detecting them.

    It might make the user feel good that these demo firewall tests are detected, but I don't really understand why it would when such detection has no relevance to the capabilities of an AT at detecting real malware. To me such detection would be as useful as a doctor having a guy pee in a bottle so he can run a pregnancy test.

    IMO the detection of real malware by these apps should be your concern. Not the detection of demo fireall exploits that you know are not malware and were not specifically designed as demo malware for AT apps.

    I think Magnus of Trojan Hunter fame designed a demo trojan that, if I understand correctly, is supposed to be some sort of test for AT software. I really don't know much about it but you might check the TH site or their forum for info.
     
  3. 10390bc

    10390bc Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    88
    First I'd just like to say, I know so little about computer security that if just a few weeks ago someone asked me about trojans I probably would have responded : " Oh I don't use em', that's like taking a shower with a raincoat on." :D But seriously......... What if someone designed a trojan (malware) on one of the leak tests? Would it then still be undetectable to the AT's ? And we already know most firewalls won't stop em' so....... checkmate? Or am I way off with this one?
     
  4. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Look, malware is always passing itself off as something harmless. That's how it gets people to download it in the first place.

    How do you figure that including known programs that are not malware in any way improves detection of actual malware? The actual malware would be a different program than the harmless leaktest...so detecting the harmless leaktest would mean nothing and not help in detecting the malware. I'm really not getting the logic here.

    If someone were to pass off a trojan infected app as a harmless leaktest:

    1.) no doubt the malware would become rather quickly known just as any other malware is when it is relatively widely distributed, especially when malware poses as a quasi security related app;

    2) word would get out to potential users to warn them off;

    3) it also would rather quickly find its way into specific definition updates for various AV/AT programs as people capture and report malware that are in the wild and/or also by those developers who tend to snoop in the right places and manage to get their hands on malware to add to their collection for detection. Additionally, some AV/AT's might be able to detect it before specific updates are issued using generic or behavioral detection methods.

    4) In short, if there were malware in the wild disguising itself within a purported security test app, it would go the same way as other malware noticeably in the wild goes except with perhaps a likely higher profile: it gets discovered and programs' detections are updated to detect it if they do not already detect it in sone generic fashion (like using heuristics or behavioral means of detection).

    5) The point I'm trying to get across is: having detection for a harmless leaktest in no way improves detection of real malware SINCE IT IS NOT MALWARE. All that would be detected would be the harmelss leaktest. If a malware version was created and out in the wild, it would be a different program and so the "programmed" harmless leaktest detection that you want AT's to have would still be useless. New malware would either be caught by some generic or behavioral detection or when definition updates are developed to detect it.

    6) And if you're seemingly fixated on detection of these leaktests because you're worried that they're some sort of secret weapon that can defeat firewalls, don't worry about the leaktests. REAL malware exists that can bypass firewalls and the AT developers have known that for some time. I prefer that they detect the real malware that poses a potential threat; I don't care about harmless dummy demos.

    And besides, when an AT does have detection for a leaktest invariably at some point in time the rest of us wind up responding to newbies posting on messageboards, "My Brand X AT detects leaktest! It's a trojan! Don't download it!" When of course it isn't.
     
  5. 10390bc

    10390bc Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    88
    Thank you Sig for the indepth explanation :) but if you don't like responding to newbies why do it, just let someone else respond that doesn't mind .
     
  6. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Hiya - just wanted to be sure you understood - While Sig might not always come off as the "fluffiest friendliest" or something like that - he certainly doesn't mind responding to newbies, etc... or he wouldn't. If he felt unhappy about replying here, I promise you he wouldn't have ;-)

    In addition; I am glad he has because I would not have know what to say! Anyway, I do think his explanation is quite exceptional and I certainly do not think you should feel offended in any way by it ;)

    Detox
     
  7. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Thanks, Detox. ;) I'm too old to be "fluffy." :mad: :D

    10390bc: My point was that such detections of legit tests leads to confusion in people who are not familiar with why the leaktest was included in the AT database. They think if their security apps detect it, it's malware. Since after all, detecting malware, not harmless legit programs, is what AV's and AT's are supposed to do.

    For example, GRC"s leaktest (the first so called "leaktest" developed years ago) was included in some AT's definitions simply to satisfy some of their users who were upset that it wasn't detected. Although the AT may even include a notation that the GRC leaktest is a harmless demo, some people see the detection and think it's malware. I've seen threads over the years on other internet boards where someone would post that GRC"s leaktest was malware because their AT picked idetected it and warn people against using the GRC.com because the site and its owner was distributing malware under the guise of security related apps.

    What surprised me in a recent thread of that kind was not the poster's confusion but the apparent willingness of some other posters to believe, based on the AT's detection of the program, that GRC was distributing malware. When instead GRC.com is a well known resource for a lot of helpful computer security info, especially for newbies since it's primarily geared to the average user. The promulgation of such misinformation about the site, based on a detection of legit software by a security app, is not helpful.

    So what it is I don't like is the potential for the spreading of FUD (fear, uncertainty and doubt) and misinformation that can result when AT's include harmless legit programs for detection.
     
  8. 10390bc

    10390bc Registered Member

    Joined:
    Mar 11, 2004
    Posts:
    88
    Thanks again Sig ! A very enlightening Post :) You are a true asset to this site. I'm sure this thread will help many a newcomer that may have similar concerns as i did.
     
  9. MomsHugs

    MomsHugs Registered Member

    Joined:
    Mar 17, 2004
    Posts:
    4
    Location:
    Midwest USA
    Excellent explanation of some great concern to me.... and don't worry about "talking down" to me. I'm here to learn as much as possible. Thank you & hugs to ya... :p

    PS: I'm not a complete 'puter dolt nor newbie, but the prospect of adding another anti-anything to my pc to ward off bad guys I know nothing about causes me to go into "homework overdrive mode" to learn all I can first.

    Attached is a pix of me at the computer.... borrowed of course from some good soul who created it & sent it out to be enjoyed by Cyberville residents.
     
Loading...
Thread Status:
Not open for further replies.