TDS-3 vs. Polymorphic Trojans, case example

Discussion in 'Trojan Defence Suite' started by Wayne - DiamondCS, Apr 16, 2003.

Thread Status:
Not open for further replies.
  1. angel

    angel Registered Member

    Joined:
    Mar 7, 2003
    Posts:
    44
    Location:
    22. district, Vienna, Austria, Europe, Earth
    And here are the logfiles of all programs as Tar GZip ....
     

    Attached Files:

  2. angel

    angel Registered Member

    Joined:
    Mar 7, 2003
    Posts:
    44
    Location:
    22. district, Vienna, Austria, Europe, Earth
    Already done :D. I did it even before i post my first reply ... .
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Right. Angelo, I propose you perform the test again after DCS has taken action, being upcoming Monday, and you have had email contact with them.

    Please refrain from further elaborating on this specific issue; as stated, there's nothing to add right now. I'd hate to close this thread until Monday...

    regards.

    paul
     
  4. angel

    angel Registered Member

    Joined:
    Mar 7, 2003
    Posts:
    44
    Location:
    22. district, Vienna, Austria, Europe, Earth
    Sorry - i misunderstood you :D. I thought i should post them now :D. Sorry ... my fault :).
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Well, their up now. Let's rest this issue for the moment - at least until the new TDS3 database has been released upcoming Monday.

    regards.

    paul
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Without posting results here, maybe you like to try out some scanning options making them on highest sensitivity or less sensible, if that could make any difference with the settings in the database now and less specific as Wayne is planning to do in the next database.
    As you like testing so much!
    I'm used to have all options on highest when scanning, but who knows what would happen if i allowed such settings changed a little :)
     
  7. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    It's just Andreas Haak again.

    For those who aren't aware, "Angelo Bachmayr" is just one of the many aliases used by Andreas Haak (do a whois on a-2.org). He usually posts anonymously when attacking anti-trojan scanners - this way, less people will realise that he's the author of the outdated and poorly maintained ANTS trojan scanner - a scanner that, incidentally, doesn't detect Donald Dick at all, so why he's trying to attack TDS for allegedly detecting only 99% of Donald Dick servers, I don't know, but he has a lot more spare time up his sleeves than us.

    Andreas, Angelo, whatever you've got to hide, you still haven't emailed me one single Donald Dick server that TDS doesn't detect, all you emailed me was a script to run the server generator 1000 times. A bat file would've accomplished the same thing, but in only a few lines rather than the hundred or so in your program. We generated 4000 servers and achieved 100% detection on those after a bit of massaging of our detection routine. Before you said you generated 11000 servers and TDS missed nearly 50. Now youre saying you only generated 1000, and TDS only missed about 10. Which one is it? How do we know you haven't modified those servers or doctored the images? You've wasted a lot of time in the past trying to attack TDS so nobody could put that past you, but I don't understand why you are wasting time testing GAV/TDS/TH against Donald Dick when your ANTS scanner doesn't detect it at all - shouldn't you be using that time to add detection to ANTS? I think your customers would much prefer you doing something constructive like improving your scanner rather than attacking others. This is accomplishing nothing. What exactly are you trying to prove, Andreas? If you have a server TDS doesn't detect, why won't you send it to us? And why hide behind the alias, why don't you want people to know that you're Andreas Haak?

    Anyway that's enough Wasting Time With Andreas for another month. I'll see you all same time and place next month (if history repeats itself)..
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Those who can, do.

    Those who can't just b1tch, moan and throw rocks. Pete
     
  9. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,514
    Location:
    Annie's Pub
    Re:It's just Andreas Haak again.

    I don't know what Bachmayr/Haak is trying to prove, when "Bachmayr" is indeed an alias of "Haak".

    I only know I become a little tired of the attacks against TDS from Bachmayr/Haak, when he has personal problems with TDS/DiamondCS, the Wilders Forum is for sure not the right place to combat. :mad:
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Identity was known already. To avoid combats and flame wars and all that there was this invitation for a serious discussion between the developers via their emails, as when somebody really has to say something valid, there are listening ears. So please keep it nice and educational for us forum visiters and many of us non-specialists, and via personal emails between the developers so developers can seriously look into possible matters. So please spare us confusion if there ever was. For the good of all internet community.
    The only discussion here seems something is made to detect a nasty in many forms and how to tighten or get less specific in a good balance to detect as many variants as possible and to avoid false alarms.
    I would not like to think of the 11,000 servers getting lose on internet, so please keep them between the labs! thanks.
     
  11. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    I guess most of you know i'm a loyal tds user, dcs customer, betatester, whatever. However, i take Wayne's response to Angelo to be rather inappropriate. I know that Andreas Haak has gotten on Wayne's nerves a bit too much, but that doesn't justify such an offensive reply. Now comes a bit of b1tching and if you want to skip it, my request is basically to focus on the question of whether there are DDick servers that TDS doesn't detect and if so, what measures can be taken by whom to remedy this.
    Now, on with the quasi-flame (you decide if this refers to my posting or to Wayne's):

    Actually, no. If you in fact go to a-2.org (it's redirected to a discussion forum) you'll see that while a-2 is indeed Andreas H.'s project of a new AT (which seems to still have some way to go), there are a couple of volunteers (remember that Ants is/was freeware?) that have offered to help (graphics, website, PR, Autostart entry-checking etc) and Angelo is one of them.

    Also, he didn't exactly try very hard to hide his identity. See the a^2 logo he uses as an avatar? He didn't even "attack" anyone or anything. He just told you that on his findings, your detection can be improved - he posted extensive results (even apologized for a misunderstanding he had with Paul) and as of now i don't see a reason not to trust him.

    He's just one who's spend his time here discussing usage, possible misses/false positives - just like all the rest of us, so we don't have so much less spare time up our sleeves than he.

    If you are suggesting that he has put up some fake test and keeps the servers private so that no one finds out, that should be easily cleared up sooner or later because he has offered to send the files (the actual server files) to more people than just you. To Paul, for instance. So, have you run the script and generated 10000 servers and scanned them with TDS and obtained different results, Wayne? Then (and imho only then) he should send you his 10000 servers. But i'm sure you can also ask to have the actual server files sent to you and not just the script. (Okay, i'm a bit too harsh, actually you have asked to have only the undetected actual server files sent. So, Angelo, will you do this? Supposed that Waynes rudeness hasn't driven you away...)

    Both. Read his postings. More carefully.


    i think there are people around that test AV/AT's and they don't even have coded a AV/AT-scanner. So there could be other motivations for that, couldn't it?

    No ants-customers. No a^2 customers. And up to now, it has been constructive.

    That's it - and i've not even mentioned the enlightening discussion i've had with Angelo about the old TerminateProcess problem in the other thread - for me, that (and he speaks of TDS-4 rather benevolently there) is enough of a proof of his good intentions.

    Rgds,
    Andreas (W)

    PS. Angelo, sorry to refer to you mostly in the third person. CU.
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,252
    Location:
    New England
    There is certainly a long history between the different people involved in this discussion, and I won't even try to come down on one side or the other. For myself, I don't use TDS3, and I've never tried Ants (now A²) either, but, I am a member over on the A² Forum, and I look forward to whatever develops there.

    I don't know first hand whether TDS finds 100% of the mentioned trojans, or if it misses some as generated by Angelo's script. I'd be really happy to see Angelo send some of the undetected trojan files to Wayne, as that is certainly the right thing to do. Or, for that matter, send them to Magnus, or to Gladiator, or anyone else he thinks would be a fair judge on this issue, if he's concerned that they'd be better received there.

    Personally, I really like to see the different developers engaging each other, and sharing their findings for the greater good. And, like Jooske, I'd really like to see them debating and discussing these techincal issues fairly in a forum somewhere, whether here or elsewhere would be fine with me. It'd be great to see intelligent discussions on these topics.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I'm rather stubborn and did suggest this various times to please open either a developers discussion thread or forum, be it only accessable for developers with subscription or open for others to read if that would be useful.
    I think there is so much to do in the security world and several views and experiences, other developers might be good judges who can be really helpful if their intentions are constructive comments. We betatesters are ok in telling what the software does on our system and if we like it or which feature we like to be built in, but the developers who are willing to spend time to take out another product to the bottom and are able to tell how things can be done with more security or whatever and are willing to tell the persons who created the product honestly etc etc etc
    I was really happy seeing it happening a bit earlier in this thread and after one guy telling how to others getting clues to add the detection into their products too.
    I think fighting is mainly a waste of energy which can be spent in development.
    Please keep the discussions open and serious.

    On internet it's a rule if you find problems in software to inform the developer by email personally what and why and maybe which tests showed it and/or to send in the materials so the developer can test it in his own lab and take measures.
    If after a reasonable time nothing has been done about it, one can post in the open, but please do it in a respectful way.

    I would be really happy and proud if such a protected for developers only space was here hosted in the forums, as this forum has the name to be among the highest in serious security discussions and information and developers of top notch software come visiting and educating people here.


    LWM: sorry to read you're not using TDS3; it's up to you, of course but i really like it and it's part of my road on internet, which before TDS2 when i was not aware of the excistence and the need was really a pricy and sad experience.
     
  14. angel

    angel Registered Member

    Joined:
    Mar 7, 2003
    Posts:
    44
    Location:
    22. district, Vienna, Austria, Europe, Earth
    Re:It's just Andreas Haak again.

    >For those who aren't aware, "Angelo Bachmayr" is just one of the many aliases used by
    >Andreas Haak (do a whois on a-2.org).

    Oh well ... are the owners of trojaner-info.de "Andreas Haak" too cause they have an email address at yaw.at? Do a whois at yaw.at, it belongs to Andreas. Or is Gavin Wayne cause Gavin has an email address at diamondcs.com.au and it belongs to Wayne? Or is Jooske Wayne cause she has a link to DCS inside her signature?

    Well its a little bit paranoid. Andreas has some co workers and personal friends. I am one of them :D.

    >Andreas, Angelo, whatever you've got to hide, you still haven't emailed me one single Donald
    >Dick server that TDS doesn't detect, all you emailed me was a script to run the server
    >generator 1000 times.

    I pleased Andreas to send you the server generator - its his program. Its not a script its a tiny delphi application. Sure there are many ways to solve a problem. You can use a batch, too.

    BTW:
    The generator is his program. Thats why i pleased him to send it to you. I do not know if it is ok if i send his files do third parties. As far as i remember he send the executable and the delphi source.

    >Before you said you generated 11000 servers and TDS missed nearly 50. Now youre saying
    >you only generated 1000, and TDS only missed about 10. Which one is it?

    Both. Look what i said:

    "I redid the test. Now with 1000 servers only."

    1000 servers cause most scanners are damned slow and it took too much time to scan all of them. So i generated 1000 new one.

    >How do we know you haven't modified those servers or doctored the images?

    Thats why i pleased Andreas to send you the generator so you can redo the test. I didn't know that you have an own "generator".

    >You've wasted a lot of time in the past trying to attack TDS so nobody could put that past you,
    >but I don't understand why you are wasting time testing GAV/TDS/TH against Donald Dick
    >when your ANTS scanner doesn't detect it at all - shouldn't you be using that time to add
    >detection to ANTS?

    Well ...

    1. Andreas is a little bit "own" and a little bit hard to come along with him. I guess you and Paul know what i am talking about. Thats why I suggest him to handle the public stuff of a² (advertisment, update alerts and so on) for him.

    2. ANTS does not exist any more and it is not a secret that the project is closed. A² will be able to detect it of course.

    3. Why i did that? Cause I am interesting in security stuff. I do a lot of testing if i have enough time (at the moment i have not so many time cause i am taking A levels at the moment). Why Andreas did that? Well ... ask him not me ... his personal address is andreas.haak@chello.at or haak.a@yaw.at or haak.a@a-2.org .

    >If you have a server TDS doesn't detect, why won't you send it to us? And why hide behind
    >the alias, why don't you want people to know that you're Andreas Haak?

    Cause i am not Andreas. Why i didn't send you the server? Quite simple. Imagine you have 11000 server files and only about 50 of them are undetected. But the scanner is not able to delete all infected files. It is only able to delete every single file. Would you give the vendor the undetected files or would you give him the information and tools to redo the test by his own? :D

    But ok - Copy and Replace inside the report did its job quite well and i generated a batch script. This servers are on its way. :D

    BTW:
    And yes, I want a PERSONAL letter of apology for this blackbiting.
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Angelo, thanks for the many explations and informing the internet community about the situation.
    I'm sorry this all happened.
    One reason more to ask to have a "developers talk among them" place in the forums here somewhere, and we really hope the brains are talking as there are some real wizzpeople among you. Are? I've not the brains to decide that, it's my humble impression.
    I would be really sorry if we need to carry around first aid and life support through a forum created for security matters! As although i'm a woman, my name is not Florence Nightingale.

    But a rule really is to send possible errors and vulnerabilities in other developers software in private emails first and give a chance for repairs and corrections first.
    Angelo, Wayne was/is open for such comments as he posted his personal email address to receive the tests/files/servers and see what you mean.
    In name of the wellbeing of internet community as a whole please burry the boomerangs and tomahawks and communicate. Thanks a lot!
    Again, sorry this happened.
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Seems like old conflicts and emtions coming with them are taking over once in a while. Although - since we are all human - on ocassion this will happen, fairly all of the times there are no winners in such a situation.

    Thus: let's get back on track here, and focus on the real issue(s) at hand, Angelo being Angelo, a co worker from Andreas Haak, Wayne being Wayne fro DCS, etc. leaving possible flaming behind us once and for all - all parties involved please ;).

    Angelo, thanks for explaining and providing the servers. No doubt DCS will examine the files and handle them the appropriate way.

    I do regard the "personal issues" being left behind; if not, established email contact between you and DCS is the way to go to sort them out - this board/forum definitively isn't. My inbox is open as ever as well.

    Back to business as usual! ;).

    regards.

    paul
     
  17. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Andreas, thanks for taking the time to send me some servers, we'll analyse them and revise the detection algorithm first thing tomorrow for tomorrows update.
     
  18. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    make love not war

    good to see things appear to be sorted out. I want to apologize, too. Must have had a bad day ;)
    See you soon, happy computing to all,
    Andreas (W)
     
  19. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Re:make love not war

    I second that ;)

    Andreas, we're all human - ask my wife about my bad days :rolleyes: :D

    regards,

    paul
     
  20. xor

    xor Guest

    Re:make love not war

    I am not his wife but it's true :D :D :D
    ;) -> for paul :D
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks a lot guys to talk reason again. Was counting on that so i did some nice shoppings for myself.
    Salut guys, on your health and of the whole secured internet community with the top notch software!
    Proud to be a supporter!
     
  22. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Re:make love not war

    You promised not to tell anyone! :rolleyes: ;)
     
  23. iCQ

    iCQ Registered Member

    Joined:
    Jul 28, 2003
    Posts:
    8
    Location:
    The Netherlands
    ppff.... this thread got a bit messy. I hope all u guys didn’t waste too much time on this talk "atm anti-trojan program X does 1% better then anti-trojan program Y". To my opinion its professional of the TDS team to seriously go into the matter. What i DO NOT consider professional is makers or friends of makers of competing products to go show muscle in someone else’s home. But again... it got a bit too messy for me to be able to follow it all.

    Take care ya all,

    Peace

    P.s. 'anonymous' or 'clone' posts on forums shouldn’t be taken too seriously. Good work on the DD polymorph Wayne!
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    ICQ, as you can see the problems are solved. Developers are showing they're but human too.
    The wonderful part of this thread is that you see several developers each with their own experience and background jumping in and even helping each other in creating rules so all their different software products are able to detect this nasty. At times a little head banging but as all feel it a responsibility to take care of their users and the internet community as a whole in the end it's a series of products with yet another good detection added for new future nasties too --i think you can imagine it's a tough job to keep on top of it these days!-- and a hand and a drink and all are happy.
    It is reason why there are developers only forums to communicate among them so the public in most cases is not aware of these communications.
    Doesn't it feel like looking into the kitchen? Don't be shocked, they aren't not even after some headbanging and this one is forgotten already and all have grown of it, good for all!
     
  25. iCQ

    iCQ Registered Member

    Joined:
    Jul 28, 2003
    Posts:
    8
    Location:
    The Netherlands
    Sorry, I didn't mean to shitstir ;)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.