TDS-3 & dll injection

Discussion in 'Trojan Defence Suite' started by wbth, Sep 22, 2004.

Thread Status:
Not open for further replies.
  1. wbth

    wbth Guest

    Hi, I've just been reading over here:
    http://www.abxzone.com/forums/showthread.php?t=80119
    about a threat and if you read through the posts, a technique called dll injection is mentioned. In this post, a link to this article is posted which says TDS-3 is poorly equiped to handle this threat:
    http://home.arcor.de/scheinsicherheit/dll.htm
    I would point out that the article was written in August 2003.

    My question, has anything thing been done since then to address this issue?

    Cheers - Dave.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Forgot the whole discussion about ProcessGuard? Process Guard uses that for Close Message handling.
    Also in the DiamondCS forum at the DiamondCS site are several postings about that subject, there are separate tools like APM for that purpose as it is against the principes of DiamondCS to have dll injection automatically in a program, a user has to be in command, like with ProcessGuard and APM.

    Among others in this thread (you'll have to join the forum as a member to read it --free)
    http://www.diamondcs.com.au/forum/showthread.php?t=1880&highlight=dll injection
     
    Last edited: Sep 22, 2004
  3. wbth

    wbth Guest

    Hi Jooske, thanks for the quick reply!

    I see I've got another weeks worth of reading to do to get some sort of handle on this! I've only just heard of dll injection.

    Thus far, would I be correct in saying that TDS-3 DOES NOW detect dll's that have been "injected" but will not remove them? AND that APM is the preferred app to do the removal aspect?

    Where does one get APM?

    Thanks - Dave.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    www.diamondcs.com.au on the products page for the free tools!
    One needs 2000/nt/xp to be able to use it.
    I mean to say: DiamondCS never includes anything into any program we can not control/use ourselves manually, so we have separate tools or programs, like ProcessGuard or this APM tool, etc.
    I give you the whole page as there are many more very nice and usefull tools there :)
    Have fun with them!
     
  5. wbth

    wbth Guest

    Cheers Jooske, I'm onto it!!
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  7. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    TDS doesnt protect against DLL injection because there's no need to - Process Guard can protect TDS as well as every other process on your system against that, so it'd be a waste of resources and possibly introduce conflicts if TDS protected itself also. So, individual security applications (anti-virus, firewall, etc etc) shouldn't be required to protect themselves - that's the job of process protection systems such as Process Guard.
     
  8. ------

    ------ Guest

    If people are interested in this issue I will probably update the article on DLL injections. This is mainly because a tool has been released which allows script kiddies to statically inject malicious DLLs into trusted host applications. Just a few mouse clicks are necessary...

    The tool does not patch a loadlibrary into the host application. By contrast, the IAT is patched. Static DLL injection is more dangerous than dynamic DLL injection since system firewalls like Process Guard, System Safety Monitor or Tiny Personal Firewall are unable to detect statically injected trojan DLLs. You need an AV/AT with a module scanner in order to identify them as malware.

    See here for an example: http://home.arcor.de/testbed/ewido.jpg
     
  9. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    This is the TDS forum, please plug your Ewido program elsewhere, thankyou.

    So the 'script kiddie' has to be physically sitting at the victims computer in order to use this attack. And wouldn't you also need to TERMINATE the process before you can modify its file? The termination would be blocked by Process Guard.

    To patch the IAT you need to modify the file. As soon as it executes, Process Guard will alert you that the file has changed, so you can block the execution.

    Like TDS3, which lets you scan process, modules, mutexes, drivers, and everything else in memory.

    Best regards,
    Wayne
     
    Last edited: Sep 22, 2004
Thread Status:
Not open for further replies.