Tauscan & detecting polymorphic trojans.

Discussion in 'other anti-trojan software' started by ChrisP, Sep 12, 2003.

Thread Status:
Not open for further replies.
  1. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    P: "The earth is flat"

    C: "But I have sailed in a straight line and rather than falling off the edge, I came back to where I started so It must be spherical and not flat"

    P: "The Earth is flat. I have a letter which says so"
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Have you generated 1000+ servers and scanned them like Wayne suggested?
    Dolf
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    ChrisP,

    Why bother posting a question if you are going to categorically disregard every answer?
     
  4. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Disregard answers - not had any that answer any question I have asked.

    you dont need to be a professor of logic to find fault with what paul and others are saying here.

    "Tauscan cant detect polymorphic trojans"

    "MoSucker and Donald Dick are both polymorphic trojans"

    Therefore logic dictates that Tauscan cant detect MoSucker or Donald Dick - trouble is, it can.

    Therefore, one of the following must be true:

    "Tauscan detects polymorphic trojans"

    "Polymorphic - schmollymorphic!"

    As to the question "have I generated 1000 servers" - No I have not as I dont have time or the willpower!

    Why doesnt the developer of an AT which "detects polymorphic trojans" generate as many servers as is requred so as to find one that Tauscan cant detect - and when they have, give me a copy to show how my copy of Tauscan cant detect it. This is a serious challenge. Send me an ulaltered Donald Dick or MoSucker server that tauscan cant detect and you will have proved your case.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Don't worry, the Tauscan people and with this i mean the BIG BOSS himself are informed in the meantime about your worries; if they don't find it necessary to react, don't blame us for it.
    You have Tauscan and paid for it so be happy with it, nobody tells you to get rid of it, but you yourself started this conversation with your worries and since are not willing to listen to any reactions or answers, so please do not listen to any respected and experienced advice to look and compare, nor try other software on your own system to have there all those over 1000+ servers which you could have created automatically in the meantime as long as this thread runs now.
    And most of all don't even look if other AV, AT, AV/AT, AW, p-p mapper software runs beside it and could give more protection and insights of all that's happening on your system.
    If Tauscan doesn't react i guess this thread can be closed as well as it's not adding any news since the first or second reaction.
    Good luck in security country!
     
  6. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    You imply I am not interested in other security software. This is not true. I have a variety of security apps on my system and Im willing to try others as they come along.

    My point here has been to clear up what I see as contradictions.

    As yet, I have had no proof given to me that Im wrong.

    I couldnt care less about Tauscan, but I want some proof - not just hearsay - that this polymorphism business is real.

    What am I to think when the developer of Trojanremover tells me his software detects polymorphic trojans and I see with my own eyes that Pest partol and Tauscan remove trojans which you guys say are polymorphic?

    Im not just going to take what Im told here as I need proof - which has not been supplied yet.

    I want to know the developers of TDS and Trojanhunter are not making misguided claims when they state their software does something no other can.

    Cheers

    ChrisP
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    No they don't.
    enjoy the rest of your weekend.
    post the test results of your 1000+ self created servers with the various AT products on your system, in a nice table. Thanks.
    Plus the email replies of the big bosses of each of those softwaer products, not just "somebody" of the employees from each of those companies.
    Looking forward to those postings.
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Go search for Donald Dick 1.55
    Read the readme that comes with the "server generator"
    Generate a server, rename it to 1.exe
    Generate ANOTHER server, rename it to 2.exe

    Time so far 5 minutes including search, download on modem, generate.

    Scan 1.exe and 2.exe with whatever you like
    Hex edit both and click COMPARE these 2 files. Its not polymorphic to try to put it simply because it isnt rewriting or morphing code. But it is a generator which uses encryption algorithms to generate vastly different looking code TO A SCANNER.


    ...
    PROOF of antivirus vs trojans is all in seeing the general underground consensus on AV. They are the ones who USE trojans against you.

    Go find a trojan userboard. Read at least 10 threads (Ive read about a million in my time). You will irrevocably find MANY on bypassing antivirus scanners by file patching. The ONLY method required is a file patch. Antivirus scanners do not scan memory for trojans because they use unpacking (well, the best ones do). BUT THIS IS A WEAKNESS now for obvious reasons. They do only scan memory for memory resident viruses which require that approach.

    You will also find offers to buy private undetectable trojan servers that are recompiled to avoid AV detection. These can be detected by string scanning in memory and many other scans TDS and other SPECIALIST TOOLS use above and beyond a file/heuristic scan. You also need tools to analyse your ports and running processes/DLLs

    We offer most of the tools you need and support will offer you other ideas - of course you need an AV and firewall, we recommend these :)
     
  9. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Hi Gavin,

    I downloaded Donald dick 1.55. I turned off my F-Secure AV to ensure only tauscan would be scanning and followed the instructions in the readme file - like I generated the exe file which then is used to install the server - and then used this to install the server.

    Not sure what it did as each programme only popped up a dos window for a second then closed it.

    anyhow, Tauscan did not detect anything! I looked at the database of trojans in Tauscan - and found that it does not detect version 1.55. nightmare!

    I turned my f-Secure back on - and it found it. It also found a trojan dropper. I rebooted (as F-Secure asked) and then F-secure detected the setup filed I had downloaded. I deleted all the files f-secure found.

    I downloaded the latest Trojanhunter and did a scan but found nothing - but while Trojanhunter was scanning F-Secure found another copy of Donald Dick - but Ver 1.53 -which i deleted (not disinfected), f-Secure then found another trojandropper and deleted it.

    After a reboot I did a full scan using Trojanhunter - but with F-Secure disabled - and nothing was found. As Im writing this Im doing a scan using F-Secure just to be sure.

    Is there any procedure I should follow to remove the Donald dick server prpoerly - is there an uninstall application etc, or is just having F-secure delete it enough?

    Concerning Tauscan - detecting polymorphic trojans or not - it is unforgivable that it does not detect the latest version of Donald Dick. There has not been an update for Tauscans database in 23 days!

    ChrisP
     
  10. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
    Please keep in mind that TrojanHunter only detects the dangerous part of the trojan, namely the trojan server. It does not detect harmless clients and "EditServers".
     
  11. Magnus Mischel

    Magnus Mischel Security Expert

    Joined:
    Oct 24, 2002
    Posts:
    185
  12. Acadia

    Acadia Registered Member

    Joined:
    Sep 8, 2002
    Posts:
    4,325
    Location:
    US
    I believe that Tauscan has also done away with their help forum, haven't they?

    Acadia
     
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Chris,

    It took a while - but I guess you'll have the grasp of it now ;)

    Magnus,

    Sure: TrojanHunter copes with it, as your screen shot shows ;)

    regards.

    paul
     
  14. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    Re: Trojanhunter - I think its just that F-Secure got there first and prevented access to the file.

    Presumably, having done a scan with both F-Secure and Trojanhunter I can now be 100% sure my system does not have Donald Dick lurking on it somewhere?
     
  15. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Could well be the case: check the F-Secure Log for this.

    You perform a double check by disabling F-Secure, and perform a full system scan with TrojanHunter ;). If you get a clean bill, your system is clean.

    regards.

    paul

     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Never scan with two scanners at a time, as they might scan each other. F-secure is more an AV/AT product and TH/TDS or others are AT so it is a bit discutable if you could do the two scans at a time, not advisable anyway.
    Better the one after the other, so you have a more clear idea which finds the other.

    Now these were one or two, now the other 998 Wayne advised to make and try. No need to run them actually, it's enough to know if they're found in compressed state as well.
     
  17. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Jooske, I'm under the impression F-Secure is running resident as the main antivirus, and TrojanHunter as the resident running antitrojan. In case my presumption is a correct one, I can't see any harm in this set up ;)

    regards.

    paul
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Being resident not, but active scanning i would never let them do together.
    I have TDS up all time too, including it's resident part and of course i let it do scannings beside that as well, but i would never at the same moment of a full system scan have any other scanner doing the same job, be it AV, AT or AV/AT scanner. One of the reasons is that the full system scanning process is the most heavy for each scanner, and another like told above. TDS for instance tries to use in it's multi threading process as much of the CPU during that scan as possible, to speed up scanning. So using another heavy process or scan at the same time would only slow down the scanning for each scanner.

    There are many people who have for instance TH plus BOClean and/or TDS all resident active on one system, no problem with that either, they run fine together: the software as well as the developers as we've seen in the threads here, all cooperating :)
     
  19. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    F-Secure is running with real-time scanning set to the following extensions:

    COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ POT MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? AVB BAT CEO CMD MAP MHT MIF NWS TAR TGZ

    The manual scan is set to scan all files and inside archives.

    F-Secure sometimes finds a trojan/virus etc that say Tauscan scans - as that application looks at the file - so even if TH or TS can find the trojan F-Secure nabbs it first and prevents it being looked at by the other scanner.

    Presumably if F-Secure cant find a trojan - and TH can, F-S will not prevent TH from scanning and removing it - but if they both detect the trojan F-S will take priority.

    Anyhow, I have scanned my system with both TH & F-S and found nothing now - phew!
     
  20. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I understand that the earth is flat after all :D
    Dolf
     
  21. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    No, its round. No proof as yet to disprove anything I have said.
     
  22. xor

    xor Guest

    here is a tool for generating such POLYSERVERxx files.
    i did wrote this tool some time ago - it's nothing special and you will need ddsetup.exe (for security reasons not included) in the same directory.

    <Contact each other by PM for the download link please. Pieter>
     
  23. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    chris p when you infect yourself with a trojan the easiest way to disinfect is to open the client for the trojan and connect to localhost and uninstall..clearly those files f-secure detected were the setup files you downloaded...harmless files to say the least...trojan hunter had already taken care of the really dangerous files (the servers).

    i recently got more proof of trojan hunters usefulness: http://www.misec.net/forum/?board=TrojanHunter;action=display;num=1065097167
     
  24. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    No. In fact it was F-Secure which found the server, not Trojanhunter.

    F-Secure detected the server and asked that I reboot - which I did. On rebooting F-secure found the other files on my desktop.

    I scanned my system using Trojanhunter but F-Secure had already cleaned my system, so it found nothing.

    Regards

    ChrisP
     
  25. ChrisP

    ChrisP Suspended Member

    Joined:
    Jun 6, 2003
    Posts:
    447
    Location:
    UK
    illukka - just looked at the link in your message concerning KAV and it not detecting a particular trojan - would like to point out that F-Secure does not just use the KAV engine, it uses F-Prot and Orion also, so the chances of it failing to detect any trojan are about zero. Even if it did only use the KAV engine, it would be able to detect more trojans than Trojanhunter.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.