TDS-3 vs. Polymorphic Trojans, case example

Discussion in 'Trojan Defence Suite' started by Wayne - DiamondCS, Apr 16, 2003.

Thread Status:
Not open for further replies.
  1. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Donald Dick is a Russian-made remote access trojan, but it's perhaps the world's most polymorphic trojan at present. TDS-3 is the only anti-trojan scanner capable of detecting this trojan, and this is explained (with disassembly and other screenshots) at http://tds.diamondcs.com.au/index.php?page=polymorphictrojans
    Best enjoyed with a coffee. :)
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    No Russian vodka?


    Thanks Wayne, quite impressive and amazing: further your screenshots are very instructive, no need to wait shivering if we ever receive that one somehow to see it's actions on our systems!
    Thanks for creating the instructive page for us, it serves curiosity too!

    Must be early morning in Perth now, sleep well!
     
  3. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    hey that is kinda cool so that what it look like
     
  4. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    ll lmao you know what be cool if TDS 4 when it finds a nasty a pic would also show up with the nasty's profile lol

    for example lol tds detects donald duck a pic of donald duck apears with the trojans bio and info lol

    mug shot wanted lol lol lol

    cage or put in to fireing range option lol
     
  5. xor

    xor Guest

    Donald Dick isn't even Polymorph.
    It's the loader thats all.
    Read the first 4096 bytes of this file, jump to the end and make a search for

    B8 | 00 | 00 | 00 | 80 | 0F | BF | EA

    backwards and combine this with a positive pattern (AND Pattern) of some bytes before ( C1 and 08 for instance )

    :D
     
  6. Douglas

    Douglas Guest

    I'm confused. Trojan Hunter lists Donald Dick 150, 153, 154, and 155 in its trojan definitions. Are these different from what you're talking about?

    Douglas
     
  7. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    lol are you sure lol quake quake
     
  8. xor

    xor Guest

    Ah yes and dont forget to add FF | FF | ?? | ?? | ?? | 0F as the last postive signature to avoid false posives :D
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Zor Douglas, What I think Wayne was saying is that using set "definaitions" for polymorphics is not the way because they always change :rolleyes:

    Edit: Sorry Zor I refered to you & not douglas in this reply - Now corrected
     
  10. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    THAT ALSO TRUE CAUSE YOU CAN MODIFIE THEM WITH HEX EDITOR OR SOMETHING RIGHT?
     
  11. Vampirefo

    Vampirefo Guest

    Very nicely done, a very good presentation, I am still holding out for TDS-4. ;) ;)

    Best Regards
    Vampirefo
     
  12. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Douglas, sorry but I'm not sure why Trojan Hunter would say it can detect these trojans because I can tell you now it can't. The servers change with every generation, and the techniques that TH uses cannot be used to detect this trojan so I'm assuming that one server was generated but not analysed to see that it's not static, and it was added using the same automated process as all other TH signatures, but Donald Dick _cannot_ be detected using standard methods like that so if that's the case it would be a useless signature that does nothing more than fool users into thinking they're protected (which is probably worse than no detection at all).

    I'd encourage you to test for yourself - do a Google search to find the Donald Dick trojan, and then just run the 'ddsetup.exe' file that comes with it (as seen in the screenshot on our polymorphic page). Everytime you run this file, it creates a new, unique ddick.exe file. We've tested with all common anti-trojan scanners (using latest databases) and we'd encourage you to do the same, but TDS was the only one detecting any of the servers, all other anti-trojan scanners missed 100% of the servers.

    But don't just take my word for it - test for yourself. :)

    ---

    Zor, you're actually technically spot on - the word polymorphic is heavily abused these days, and although it often applies well to viruses, it really shouldn't apply to trojans as it's their server generator that is the base for the pseudo-random generation - not the actual trojan server itself, but today the term 'polymorphic trojan' is just generally and loosely used by many to define trojans that are different from one generation to the next. We'll add some extra text to the page to explain this more clearly. :)
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    BTW I think you meant C1 and 80 Xor ;)
     
  14. xor

    xor Guest

    yes it was a typo - to many fingers on keyboard error, you know ? :D
     
  15. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    "to many fingers on keyboard error, you know"
    Translation for non-programmers ... "too much coffee, you know" :D
     
  16. xor

    xor Guest

    You miss the beer the DAMN BEER :D :D :D
    But i am using the 4th coffecup in this night :rolleyes:
     

    Attached Files:

  17. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    No that's the desk of a real programmer!!! [​IMG]
     
  18. Tinribs

    Tinribs Registered Member

    Joined:
    Mar 14, 2002
    Posts:
    734
    Location:
    England
    Maybe mine isn't quite a messy as I thought!! I'll show that to my wife to fend off her duster :D
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Wondered if others are referring to other versions of donald dick trojans, as there are several, think i saw an older report of 1999 but i don't recall the version number there. Could this explain the different views on detection and disarming?
     
  20. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    There are several versions, but only 1.53.b and onwards use the SmartMorph polymorphic loader. The only versions other anti-trojan scanners can accurately detect are v1.52, the first variant of 1.53, and earlier. 1.53.b, 1.54, 1.55 etc can not be and are not detected by other anti-trojan scanners, so if you see them in their "detected trojans" list, they're just giving you a false sense of security - they cannot detect such trojans.
     
  21. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :DWasnt TDS the one that detected my Zmist favriote nast in the world that kick but i love that awsome nasty

    i wish i had money and found the real maker of it not the guy at nav that wrote about it but the actual guy

    if i did the Mr.Blaze6666 would become a reality he he he
    cleaning up the internet and makeing you all spell as bad as me with lol at every other word lol
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yeah, the older lists like on mcafee i don't recall to have seen any version number at all, only the message there are several versions and names.



    Hey Blazey! Your sig is in the wrong forum: it's TDS here!
    Have you seen the DCS shoppe? Go and get there, be the first hurryyyyyyyyyyyy!
    http://www.cafeshops.com/diamondcs/
    Get your TDS and DCS collectibles NOW!
     
  23. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    ZMist is a virus family, using the "Mistfall" engine by Z0mbie.. not applicable for detection by any of our products.

    I think I commented somewhere on the forum about this before. Very powerful virus engine.. but one striking weakness - pack any EXE and it is immunised against this virus :D The virus disassembles an EXE file, and inserts itself into the executable. The virus code actually becomes part of the file when reassembled.. a real headache for AV guys :)
     
  24. Vampirefo

    Vampirefo Guest

    McAfee can detect them, I made 32 servers McAfee had no problem detecting them, I used versions, 1.52, 1.53,1.54, 1.55, McAfee detects them all regardless of version.
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Wondering if Wayne means something else we miss here?
     
Thread Status:
Not open for further replies.