Tauscan & detecting polymorphic trojans.

Discussion in 'other anti-trojan software' started by ChrisP, Sep 12, 2003.

Thread Status:
Not open for further replies.
  1. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    It is my understanding that Tauscan cant detect polymorphic trojans.
    (See: http://www.wilders.org/anti_trojans.htm)

    I have tracked down the names of some polymorphic trojans such as MoSucker, Donald Dick etc, and have found that Tauscan does detect them!

    Can someone explain how an AT which cant detect polymorphic trojans detects polymorphic trojans?

    Is it a case of "polymorphic" - "smolymorphic"!
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Chris, you didnt mention how many trojans you generated before scanning. I say this because it's common to simply generate one server (or use a 'pre-generated' server that comes with the trojan download), but when dealing with polymorphic trojans you should generate at least 1000 servers to scan :)
     
  3. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Hmmm. I sort of see.

    I have not scanned any trojans - I just looked in Tauscans database of known trojans and found these listed.

    Ase you saying that each server will be generated with a new identity and that tauscan has a fingerprint for only a set number of these - rather than using a generic or heuristic system to identify any variety of the server?

    I would have thought that if the server morphed completly that it would be impossible to detect under any system of analysis as each time 100% of the code would be different. - My point is that in order for a trojan server to perform its task there must be some of the code which does not change - so I would guess if this bit of code is identified then there is no need to have "smolymorphic" detection.

    I have been told by the developer of Trojanremover that true polymorphic trojans are a myth.

    Opinions please.

    Im asking these questions as I run F-Secure - but have found some names of trojans which dont appear in their list on their website - so am looking for a way to cover my system.

    Im assuming F-Secure detects polymorphic trojans?
     
  4. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    You can't just compare the list of names for malware to verify wether a programm detects them or not. Every vendor gives the detected malware (slightly) different names. Especially those names given by AV companies differ much those given by AT companies.

    And your question regarding 'polymorphic trojans' and F-Secure: Every av scanner can normally deal with polymorphic malware.

    wizard
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Chris,

    Confirmed by Mikheal Zakhryapin, software developper from Agnitum/Tauscan approx. 2 years ago by email. "Tauscan has to be rebuild from scratch".

    regards,

    paul
     
  6. xor

    xor Guest

    Yes true.
    You need at least some basic wildcard scanning for this. (SMorph Dropper for instance - used with Donald Dick)

    (Means no static pattern) or generic detection "plugins".
     
  7. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hey man you're safe.. every trojan tauscan nails, f-secure nails better..just stick with it..
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    This thread might be interesting as an example then?
    I mean with the link to the site and screenshots etc, so you have an idea.
    http://tds.diamondcs.com.au/index.php?page=polymorphictrojans
     
  9. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    No clear answers then. Does it detect MoSucker and the other "polymorphic" trojans in its dartabase or not. Its a simple question
     
  10. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    MoSucker isn't polymorphic. There are only two trojan scanners that can detect polymorphic trojans. TrojanHunter (http://www.misec.net/trojanhunter) is one of them. The other isn't Tauscan ;)
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Magnus, i really liked the discussion in which you participated among the other developers in the thread i mentioned above! I think it is a real golden thread which deserves special attention for the discussion and the way how developers cooperate to help securing the internet community for the nasties. So there are only winners here!
     
  12. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    Jooske you're right! the thread you referred to is one of wilders's all time classics...
     
  13. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Magnus. According to TDS, MoSucker is polymorphic. Donald Dick is also polymorphic - Tauscan (which detects does not polymorphic trojans) detects them both.

    Also. Trojanremover - which if wilders is to be believed - does not detect polymorphic trojans - detects both of these - and polymorphic trojans - I have an email from the developer to confirm this if you are interested!

    Just as a mater of interest - can you name me one single trojan which Trojanhunter detects which F-Secure cant? - If you cant name one, then I see little point in anyone having your software.

    As to your email to me in which you state that Trojanhunter has the advantage as it uses heuristics to detect unknown trojans - I feel I must point out that F-Secure also uses heuristics.

    Your website mentions the beast trojan and something about process injection etc - would also like to point out that F-secure detects the beast.

    So over to you - or anyone - tell me a single trojan Trojanhunter - or any AT detects that F-Secure cant.

    Its clear to me that this polymorphic buisiness is rubbish.
     
  14. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    > Its clear to me that this polymorphic buisiness is rubbish.
    Chris, I'd encourage you to generate 1000 or more Donald Dick servers. Find as many anti-virus/anti-trojan/etc scanners as you can, and scan all 1000+ servers to see which scanners are actually capable of detecting polymorphic servers, and then tell me if their detection is rubbish... :) I think you'll be very surprised.
     
  15. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Waiting for you to name one trojan your software detects that F-Secure cant......
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Chris, it's clear you made your choise so be happy with it!
    It's not up to the vendor A to compare and test product B for users, you as user need to be happy and it seems you are. If they give information about differences it's just extra support.
    I can tell you i use f-secure among others as a backup scanner beside others, but for the worm/trojan/keyloggers/spybots/dialers/drats detection, memory scans, generics, mutexes, i go for the specialists in this exact field and i know they made so many tools of which many even for free, which says nothing of the real value nor about the other products quality.
    My personal choice is clear if you look at my signature.

    I really would ercommend you shop around, install the one product and test it and then another; you seem to be able to create or gather hundreds of test files, so do and see what it does on your system.

    I'll give you a stupid comparision:
    If you buy a vacuumcleaner for your house you expect it to clean without spitting out the dust on the backside nor to suck the whole carpet inside nor to leave behind the dust. And a few more if's this and that.
    So the same with a scanner, what does it do, does it delete each "suspicious file" while it might be completely legal, or does it leave behind things, etc. And look especially how the software is made, what it does, which areas it covers, can you understand it and does it have daily updates, etc etc etc, how is support. Wayne has on the DCS pages some info what to look for with a scanner and what might be important for you, etc. Very interesting reads.
    So promis yourself since you are not happy with part of your software --if you were you wouldn't aks for advice for other products-- don't pay for any product this moment, wait, shop around and come back with your experiences.
    We are on the treshold of several vendors releasing soon new products, so give yourself all time to get really informed and ask your questions in the forum with an open mind.
    Don't just look in the databases of names as several of the top products also detect code, not just names, for that would mean if a trojan coder would rename S7 into something innocent it would not be detected, which is rubbish of course.
    So listen to advice of the people here, you're in the circumstance that very knowledgeable people and vendors of top notch products themselves contribute to helping you in an honest way with your questions, so take serious advices please.
    Thanks! and in the meantime be safe!
    Hope to read your shopping around experiences soon.
     
  17. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    I understand what you say. I too use a variety of tools to protect specific areas of my security.

    I use SpyCop for detecting Keyloggers, F-Secure as my AV, BlackICE as my firewall, SpyStopper to protect me from Webbugs & scripts etc, Adaware Pro for protection against Adware etc, I also have a number of other security apps as well.

    Whilst I understand that no singe application gives a user protection on all fronts, I do have two main issues:

    Firstly, there has been a concerted effort over the last 18 months or so to convince people that a dedicated antitrojan application is required if a user is to be protected from trojans as it is argued that antivirus programmes cant detect trojans effectivly.

    Concerning this first point I would argue that there is no objective proof of this. In fact many tests have shown that the majority of ATs are nowhere near as good as AVs in detecting trojans. The main problem is that there are no up to date objective assessments.

    My second concern is that of the polymorphic trojans.

    It is a fact that this and other security sites have stated that only TDS and Trojanhunter detect polymorphic trojans. (Presumably ignoring the fact that most AVs detect polymorphic trojans!)

    Diamond CS have stated that MoSucker is a polymorphic trojan.

    It has been stated here that Donald Dick is a polymorphic trojan.

    Both of these trojans are listed as being detected in Tauscans database and are said to be detected by the developer of Trojanremover.

    Therefore logic dictates that either:

    1- The software developers for Tauscan and Trojanremover are liars and their products do not detect these trojans.

    or

    2- That these trojans are not polymorphic in the true sense of the word and can be detected by normal methods.

    Im just a consumer of products - Im not a security expert but Im irritated by the confusion generated by the misinformation or imprecision generated by software producers here.

    If we forget about trojans and just imagine we are concerned with detecting "triangles".

    A vendor stated that we should all be concerned as no other software other than his can detect a particular colour of triangle (say red) - we would all be concerned that our existing triangle detection product is no good as every nasty person out there will be sending us red triangles from now on - just to annoy us!

    We later find that despite what we have been told - that our existing triangle detection system IS in fact spotting red triangles. now the vendor who told us that his was the only system for detecting red triangles can come up with any argument he likes - the fact remains that either the triangles he and we are currently detecting are not truly red (perhaps they are a dark pink) or our existing triangle detection machine does detect red triangles after all.

    You stated that I should generate 1000 servers to see if Tauscan detected them all. I and many other people dont have time to do this - so let me ask you a simple question:

    Have you ever generated a Donald Dick server which Tauscan cant detect and if so can you supply proof of this to us?

    if you can, please indicate to me where I can download it so I can test it for myself. (I should be safe as my non AT F-Secure will detect it should Tauscan fail)

    Im honestly inierested in any replies - not just looking to wind you up.

    ChrisP
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you read the thread and the fine example site with screenshots and all that but most of all too the very interesting discussion thread? A good read to see how is dealt with this DD.
    There is a difference between detecting and dealing with it and not too many false positives.
    I love to tell my story about having found a nasty spybot which itself was infected by a virus and that whole packet again by another virus. Big fun to detect that and finding one of the main AV//AT programs found nothing, while i analyzing the packet could see with my bare eyes it was not ok and bigger fun the reaction from the TDS lab whom i sent the sample i was right and how it was exactly with that one. It's nice and i can tell you DCS support educated me to be able to do such detections and in a safe way without endangering myself and the internet community.
    I refound the joy and fun with security thanks to this support and education and outstanding software, of course.
    There is a general respected top three in top notch AT software and if your personal choice is TH, TDS, BOclean of those three you're on the secure side.
    It is not so people say they are the only ones to detect and deal with some nasty kind while everybody would know the same thing is detected by all others, as the AT vendors mentioned here are serious people, as your only conclusion can be if you really read the golden thread.
    The name/type giving from several nasties can be confusing: some are named as worm, virus, trojan so what are they and which software should deal with them?

    Careful with the red triangles while shopping around! D/l and try the evaluation versions, see what they do and if you like them. Not that it's really necessary but there are people who have them all three.
    BTW: while shopping around and waiting for the vendors mentioned new product (really worth it!), with your tauscan and the evaluation versions of TH and TDS (BOclean has no eval but a very good money back policy just like the other two) and f-secure and online scans occasionally you're probably rather safe for the moment, so give yourself time, do something with the software, writing about the if this and if that costs even more of your busy time then trying and seeing with your own eyes on your own system! As we can all say it's nice for the red triangles but maybe we don't like red but blue while you expect yellow so... please try what you can and take your time.

    It's not even always possible to say which is better as all work in very different ways.
    Like said, we don't want you to spend your money if you're not really really sure. Everybody wants you just to be happy with your tools and that they are adding to your security in the best ways.
    At least make sure you grab all the free tools from the pages as they are really valid and very handy, some even rather revolutionary!
     
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Chris,

    It's rather quite simple: contact Mikheal Zakhryapin (CEO from Agnitum/Tauscan. We do have his email stating Tauscan has to be rebuilt from scratch stashed over here. I'm sure you will get the same answer from the horses mouth - and is there a more trustworthy source? ;)

    regards.

    paul
     
  20. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Hi Paul,

    The statement that Tausacn needs to be rebuilt from scratch is in itself meaningless in this context and could be taken to mean anything. Eg - I would agree that it needs to be redeveloped - to make it faster - as it takes 8 hours to scan my PC!

    You and others here keep using this statement to try and show that Tauscan does not detect Polymorphic Trojans - when the statement says no such thing.

    On the other hand the following email from Agnitum CLEARLY STATES THAT TAUSCAN DOES DETECT TROJANS YOU CALL POLYMORPHIC:

    Dear Chris,

    Thank you for email.

    > *Tauscan
    > *Trial
    > *Chris
    > *(EMAIL ADDRESS REMOVED)
    > *Windows XP
    > *I have been told that Tauscan cant detect polymorphic trojans,
    > however, I notice that has the "MoSucker" and "DonaldDick" trojans in
    > its database - which are suposedly polymorphic. Can Tauscan detect
    > polymorphic trojans or is it ths case that true polymorphic trojans
    > are only a myth

    Our Trojan analysts do think so.

    > and that the level of
    > polymorphism in all existing trojans is so low that they can be
    > detected by Tauscans existing methods?

    Usually it is so. Tauscan detects even those Trojans which some call 'polymorphic'.

    Let us know if we can be of further assistance.

    Best regards,
    Vasilisa
    Agnitum Support Team
    www.agnitum.com/support/

    > Many thanks.
    > *

    Also this is the email I recieved from the developer of Trojanremover WHICH STSTES THAT TROJANREMOVER DOES DETECT POLYMORPHIC TROJANS:

    Yes.

    Nigel

    ========Original Message========
    Subj: MoSucker etc
    Date: 19/09/2003 12:03:08 GMT Daylight Time
    From: (EMAIL ADDRESS REMOVED)
    To: simplysupsupport@aol.com
    Sent from the Internet (Details)




    Hi. Can your software detect MoSucker, DonaldDick and other polymorphic Trojans.

    Thanks

    (PLEASE NOTE - HIS ANSWER IS AT THE TOP OF THE EMAIL)

    So, there you go. These emails clearly show that both Tauscan and Trojanremover detect polymorphic trojans. In the light of this, Im sure you will be removing your statement from the review of Trojan detection software that these applications cant detect polymorphic trojans - unless you are going to call both these developers liars!

    ChrisP
     
  21. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Chris,

    That's a nice email from Vasila/Tauscan. I can produce an email from the CEO Mikhael Zakhryapin from Agnitum, answering to the question if Tauscan can handle so called "polymorpic" trojans: "No. Tauscan has to be rebuilt from scratch'. - Dated December 2001.

    This has even been confirmed on the (now no longer existing) Agnitum Forum.

    I tend to believe the outspoken reply from the CEO above a kind - but incorrect - email from an employee.

    As stated before: contact Zakhryapin directly. Feel free to mention his email to us in this regard.

    And no - I'm far from calling Mikheal Zakhryapin a liar; he's telling the truth.

    regards.

    paul
     
  22. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Ok, explain to me how Tauscan detects Donald Dick and Mosucker - which are polymorphic.

    Also explain how Trojanremover detects these and all other polymorphic trojans.

    When you have finished with that, explain to us all how Pest Partol also detects these trojans when you insist these scanners cant detect polymorphic trojans.

    The fact of the matter is you are wrong. Its not a matter of opinion or debate - it is a fact that you are not right when you say that Trojanhunter and TDS are the only scanners to detect polymorphic trojans.

    Im not interested in what someone may have said 2 years ago - it turns out that standard scanners do detect Polymorphic trojans as true polymorphism does not exist.

    QED

    Regards.
    ChrisP
     
  23. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Chris,

    I've been reacting in regard to Tauscan from the start - and keep doing so.

    "Someone"o_O We are talking about the Big Boss from Agnitum/Tauscan here...

    A matter of symantics - I stated "so called polymorphic" for good reasons.

    Oh well. We do have the written statement from the CEO from Agnitum on this subject, and you've decided the opinion of "someone"/CEO Tauscan is of no importance. I'll rest my case....

    regards.

    paul
     
  24. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Ok you say you are only talking about Tauscan - so what about Trojanremover? - Since the developer himself states clearly that it does detect polymorphic trojans.

    And what about Pest patrol?

    Give me the email address of the CEO of Agnitum and possibly he can explain how it is that his antitrojanwhich does not detect polymorphic trojans does in fact detect polymorphic trojans.

    Your last reply does not answer any questions - try explaining how these antitrojans are detecting polymorphic trojans.

    ChrisP
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Might be interesting to ask which date the detection was added to the databases. And are they detected or also cured?
     
Thread Status:
Not open for further replies.