TDS vs BoClean?

Discussion in 'Trojan Defence Suite' started by superc, May 15, 2005.

Thread Status:
Not open for further replies.
  1. superc

    superc Registered Member

    Joined:
    May 15, 2005
    Posts:
    1
    Location:
    varied
    I got this unsolicited newsletter in the email today and found it to be a fairly interesting capsule summary of where the industry is today and how it got there, and the comparisons at the end invite comment. There was an ad for a new product at the bottom of it which I deleted for the post here.

    PSC Newsletter wrote:

    > PSC Newsletter-MEDIA DISCOVERS "SPYWARE?"
    > Friday, 13 May 2005
    >
    > THE MEDIA DISCOVERS "SPYWARE"
    >
    > We've been in the business of handling malicious software for eight years now, and recent headlines in the media even have US confused as to what "spyware" is. We created our BOClean antitrojan software back in 1998 to deal with a new set of risks at the time which the traditional antivirus companies ignored, expecting that as the problem grew quickly, the antiviruses would soon be on top of the situation and there would no longer be a need for BOClean by the end of 1998. Boy were WE wrong.
    >
    > Back then, antiviruses handled "viruses," which were substantially file infectors that would spread when an infected file was run to other files and sometimes other computers by means of copying infected files. BOClean was created to deal with a newer threat specific to the internet itself, that of the "Remote Access Trojan" or "RAT." What made these different was that they didn't infect files. Instead they infected an entire machine with what was called a "back door." Back doors permitted an attacker in a remote location more access to the innards of personal computers than most computer owners had to their own machine. And once installed and activated, a "remote control trojan horse" could do incredible amounts of damage within seconds!
    >
    > It was this new requirement for instantaneous detection and removal of this new type of malicious software that created the need for a fully automatic program which could detect and instantly defeat this new threat. The old paradigm of "file scanning" with an antivirus was no longer practical because by the time anything unusual was noticed by the victim, it was far too late. "Trojans" had to be stopped immediately, not at a later time after the damage was done. And the antiviruses required that suspicion be raised in order to cause the user to perform a scan in the first place. Unacceptable.
    >
    > At first, "trojans" were rarely seen outside of major computer networks in corporate, governmental and institutional systems where there was information worth the effort of designing and building these custom pieces of software. Only a small handful of programmers were even capable of writing this type of software. Thus BOClean was originally designed to satisfy system administrators who insisted upon a completely automatic program which would detect and defeat these new nasties without the need for their users to need to do anything.
    >
    > The very first known Windows95 trojan horse was created in France and was called "Sockets de Troie." It wasn't very popular because it was unreliable and was written entirely in French. It only worked on French Windows machines owing to a bug in its original design. Among the first widespread, mass-distributed trojan horses designed for what would become known as "script kiddies" was a German trojan called "Master's Paradise," a predecessor to one that would be known later as "Netbus" in 1998:
    >
    > Master's Paradise (September, 199:cool:
    >
    > This trojan was the first one that permitted anyone with no programming skills whatsoever to configure and control a back door. Within weeks, several others appeared as a sort of competition among "elite hackers" resulting in several dozen such programs being released, each with widening new capabilities and ease of use such as "Girl Friend," "GateCrasher," "PhaseZero" and many more which followed over time. Still, they were a relative novelty and we had the time to write reports on each of them, which are available on our website.
    >
    > But it was the original "Back Orifice" trojan in summer of 1998 by a group called "Cult of the Dead Cow" which changed the landscape and forced us to provide a free "BOClean" product for our NSClean and IEClean customers owing to its rampant success as the first MAJOR "trojan horse" in widespread distribution. Suddenly, every kid on the block had the technology to invade other people's computers at whim. And with more trojans appearing weekly, in the event that an antivirus detected one of them, there were plenty more to be had that could be used until those too were eventually detected. Curiously, PhaseZero remained popular because it wasn't detected by the antiviruses until 2000! BOClean of course had them all covered the day each was released.
    >
    > 1999 saw the number of these mushroom and suddenly, BOClean went from having to be updated maybe once or twice a month to having to be updated weekly and even more frequently as each new one appeared. In 1999, the kiddies, frustrated by the antiviruses catching many of these (but not all) became even more sophisticated in their techniques. "Packers," "encryption," and "polymorphism" were applied to existing backdoors which caused the "file scanning signatures" to no longer match the original samples. Suddenly, all of the previous trojans were back in use widely as they no longer matched the "signatures" and thus coined the term "undetectable trojans," even though in memory, there were no differences in any of the "variants."
    >
    > By 2000, a second version of the first major "internet worm" known as "PrettyPark" was released by its author. This was the first set of what we know today as "worms" or "virusname@mm" mass-mailing trojans. And it made life incredibly difficult for the antiviruses as it added polymorphism in a self-replicating mass mailing trojan. So significant was its infection that we wrote a report:
    >
    > PrettyPark2 (February, 2000)
    >
    > It also constituted the first primordial "rootkit" in that it used a kernel driver (VXD) in order to function and thus was not a "process" at all, rendering it completely invisible to the usual means of detection, and almost impossible to detect once it was running. BOClean saw it readily though. Then, in 1999, Cult of the Dead Cow created the ULTIMATE "rootkit" and one whose legacy remains today in just about every piece of serious malware, "BO2K" ... the first trojan with stealth, the ability to provide a "reverse connect" through firewalls and most importantly, the first "injector" trojan which could inject itself into OTHER programs, leaving no trace of its origin behind to successfully detect. In fact, it was the creativity of "BO" which resulted in the name "BO"Clean ... for years, it remained the most widely used backdoor because it had so many different means of completely eluding antivirus detection.
    >
    > Throughout the ascendancy of these pieces of malware, traditional antiviruses had to create a brand new "signature" for each and every "variant" of code which was exactly the same as all the others except that at the FILE level, there wasn't a match of file strings. And thus was born "virus.a," "virus.b," virus.abc" as each individual possible permutation had to have its own name, and its own "Signature." To BOClean, they were all the same because BOClean didn't fall victim to the 20 year old "scan files" mentality which continued through this whole new paradigm.
    >
    > ENTER "ADWARE" AND "SPYWARE"
    >
    > Many web sites in the days of yore contained "banner ads" at the tops of pages which allowed webmasters to earn money displaying advertising on their sites. Major commercial websites depended on this advertising revenue to pay for their very existence. Along came shareware that would remove the banner ads, destroy cookies, and ruin the advertising income for many sites. And advertisers were willing to pay for "market research" on who was clicking on those ads, in hopes of refining their ads for better "response through clickthroughs."
    >
    > Since banner ads weren't working, a more aggressive method of advertising called "POP-UPS" was created that would place an ad over or under the web page. But these required javascripting in order to function and savvy users would disable javascript and with it, all those ads. Sites retaliated by FORCING people to use javascript or the web page didn't work properly. But that backfired as well as "popup blockers" came into existence. Many popular sites disappeared because they couldn't pay their bills. Others turned "rogue" by offering "special enhancements" that contained advertising within the "special viewers" which would pop up advertising, particularly on "porn sites" which had high usage but couldn't otherwise afford the "bandwidth." The "special viewers" provided advertising on the desktop for OTHER porn sites. Turn off all "scripting" in your browser, and you'll NEVER be infected! Folks just HAVE to turn it on for this "ONE site" though, that's where they get nailed.
    >
    > At the same time, people became unwilling to PAY for shareware and even commercial software sales fell flat. Companies like Gator, WhenU and others saw an opportunity to use FREEware and shareware "trials" as a vehicle for advertising and the majority of authors of freeware and shareware leaped at the opportunity to earn revenue by this new "adware" methodology. As a result, "adware" (commonly called "spyware") was installed as part of these programs. And people got PAID for their work after all.
    >
    > And for the struggling websites and shareware and freeware authors, their income evaporated as programs like "AdAware" and others began removing advertising from within these programs where the contract between the authors and those who downloaded their software was the placement of that advertising in exchange for the use of the software or site.
    >
    > Didn't take long before those bits of goodwill and fair compensation were abused by many and as of 2001, BOClean was extended to remove any malicious "additions" to popular programs where there really was "spyware" where the trust of the individuals who installed the software or viewed the pages was violated. Up until this point, BOClean dealt solely with backdoor trojans, worms, rootkits, keyloggers, dialers, and other damaging and other malicious, surreptitious programs.
    >
    > For us, we had to decide what was malware and what was "these are the legitimate terms of the contract between you and the author." And we determined at the time that if advertising was clearly stated as part of the contract and the advertising was provided only in the program, and nothing "sneaky" was done, that it wasn't a trojan but rather "compensation." BOClean only went after that which was done in an underhanded manner, or done maliciously. And there was plenty of that.
    >
    > But for programs like Eudora which displays advertising on the screen of the program, WinZip and others, those were NOT "trojans" in our eyes SO LONG AS the terms were clearly spelled out at installation time, the program (AND the advertising) were thoroughly removed when uninstalled and that the terms of the privacy agreement were kept by the authors and the advertisers. Peer-to-peer software given away for free was always "advertising-supported" as were many other programs of relatively recent vintage. As long as the "advertising" was in keeping with the license for use, and the privacy policies OF the license matched what the "add-ons" actually did, we didn't consider them to be malware. But things quickly got out of hand, forcing our hand to defeating them as more and more of them turned "rogue."
    >
    > BOCLEAN GETS SUED FOR "RESTRAINT OF TRADE"
    >
    > In the summer of 2000, the NETBUS trojan was sold to a Florida Corporation who decided to resell Netbus as "a legitimate remote administration tool." When they learned that BOClean was detecting the Netbus trojan as "Netbus trojan" their lawyers took action against Privacy Software Corporation, demanding a "cease and desist" on our detection of Netbus. Our corporate lawyer and our management contested the assertion, and prior to trial came to a settlement with the dealer (now defunct) which determined that BOClean would be provided with a "Do NOT detect Netbus" option in order to stop BOClean from detecting Netbus *IF* the end user so desired. A legal precedent was also set under New York jurisdiction (we're a New York Corporation legally) by this settlement which was upheld by the courts. Our "option" to NOT detect at the discretion of the end user was an "adequate remedy" under New York State law, and BOClean is governed by same.
    >
    > BECAUSE we were not a "common carrier" in that there is no "evaluation copy" available to the "general public" BOClean is seen legally as a "subscriber service" and our decisions to cover or NOT cover certain malware is legally seen as a "service" rather than an obligation and thus legally, because we do NOT offer "to the general public," we are a "private club" and thus entitled to ANY discrimination "on behalf of our subscribers" as WE see fit. Netbus therefore had no legal standing to challenge our decision. AND, because we agreed in a settlement to place the "Do NOT detect Netbus" in our configuration screen, the embarassment of the "this is bad, but ignore it" display in our product only served to bury Netbus as a "legitimate remote administration tool."
    >
    > The outcome is there is already legal precedent for BOCLEAN under the law, and whereas other antimalware had surrendered to bogus legal claims (but eventually relented after we won the decision) and dropped the detection of malware, BOCLEAN is under no such legal obligation. We act on behalf of our "subscribers" BECAUSE there are no "free to the general public" releases of BOClean. THAT provision is what keeps everybody safe even if it costs us "easy sales."
    >
    > THE KIDDIES TURN PRO
    >
    > Throughout the 1990's and into the beginning of the new Millenium, the motivation for the authors of malware and the "script kiddies" who used these toys was ego. "I'm LEET" was the whole point of adolescent approval-seeking among their peers By the year 2002, all of this changed drastically. As those of us in the antitrojan business, as well as some of the antiviruses quickly destroyed MOST of these "creations," the people who create these things no longer enjoyed their "hobby" and got serious. Suddenly, writing these things was a means of MAKING MONEY. And LOTS of it.
    >
    > And as "anti-spyware" software came into existence, the advertisers and the software authors were being deprived in many cases of their fair "price" for that freeware and shareware they created, as people tried to get "free software" without paying the "price." A natural "nexus" began to emerge as some advertisers, and many disgruntled webmasters, shareware and freeware authors sought "revenge" against those who "cheated them" of their fair alternate income. As THEY saw it, the USERS were violating the license and "stealing." There is ALWAYS a price for software - either cash, or "other considerations."
    >
    > Enter the "script kiddies" and former trojan horse authors with their expertise in evading and eluding detection. There was money to be made in providing "bulletproof advertising" for the companies which provided the popups and in-situ advertising. For a price, they'd write CUSTOM "trojans" to deliver those ads. And quickly, some of the very best malware authors were getting paid. And when "anti-spyware scanners" managed to detect their latest, they'd simply repackage the same code using the techniques we've known in the BOClean lab again and again.
    >
    > Techniques such as "reverse-connections" which elude firewalls entirely, "rootkitting," and "memory injection" techniques were applied to adware. This in turn gave birth to what is called the "drive-by install" wherein the numerous security holes of Microsoft Windows provided "easy pickings" and the victim never knew that they had been hijacked. Companies like Integrated Search Technologies (ISTbar) and CoolWebSearch (CWS) and numerous others found an easy way to make lots of money using the talents of the same old familiar faces we knew for years in the BOClean lab. And they were SO successful that long-term fighters against "spyware" like Merijn Bellekom of CWShredder fame quit in June of 2004, throwing his hands up over the growing complexities of dealing with CWS. For BOCLEAN, this was just another day of the usual. He recently sold his file-scanner technology to Intermute, but the problem was that constantly updating file signatures took its toll. And there are many others out there besides CWS who aralso employing yesterday's best trojan authors to write their hijackers. The entire scope of the "game" has changed, and us "old time antitrojan" people KNOW the perps and their code.
    >
    > In the past couple of years, hijacking browsers to various inferior search engines has become a BILLION dollar business for "ne'er-do-wells." And new nasties are released EVERY day now. Standing in opposition to them is a loyal, but hobbyist population of cottage industry volunteers who simply don't have the resources (or TIME) to deal with professional CRIMINALS. It has gotten THAT far out of hand. Law enforcement has been non-existent even though New York's Attorney General Elliot Spitzer promises to do something about them. It's really a federal matter and what they're doing is NOT against the law. And there appears to be no stampede in Congress to change this reality. Being a commercial force against criminal enterprise IS expensive. Sorry to say, "Donationware" and "freeware" can't pay to keep up the war. Nor can volunteers. Anyone involved with HJT logs can tell you, it's getting totally out of hand.
    >
    > As if "spyware" (defined as advertising that reports back your web forays) isn't bad enough (and is finally being noticed by the media) there's far worse going on out there with the professional trojan authors. And there's plenty of disgruntled ex-shareware authors also seeing "easy money" in using their advanced programming skill to write malware for a buck.
    >
    > ORGANIZED CRIME STEPS IN - IDENTITY THEFT
    >
    > Having a browser hijacked and sent to web pages you never intended or wanted to see is already passe. And in the greater scheme of things, not terribly serious. You can wait to scan, or seek assistance with the ubiquitous "HijackThis" log on various groups and support sites. And maybe within a few days, the hijacker will be found and removed. All you're really "out" is your peace of mind and enjoyment of your machine. There's far worse out there, and the moment it lands on your system, you're in serious trouble. Some of the newer threats have hosed you literally in seconds. And seriously.
    >
    > While the media makes a big deal about "phishing" emails where you make the mistake of replying to an email purporting to be from your bank, broker or eBay or some other site where financial data is stored, and then being directed to a rogue site asking for your personal financial information, these are fairly easy to avoid. Your bank, your broker or eBay do NOT send email asking you to confirm your account information. NEVER answer such an email - instead pick up the telephone and CALL them. Or manually type the site into your browser (NEVER click on a link!) and go to the site.
    >
    > The criminals who weren't satisfied with the income from browser hijackings have more evil things in mind with what they're doing right now. It's called "keyloggers." These malicious programs (which are installed as readily as any browser hijacker) are designed to record your keystrokes and email the results to the perpetrator. Such information as login information and passwords, bank account numbers, and other extremely critical data are readily captured and emailed to the perpetrator in seconds. This is the new "growth industry" among former trojan authors and other disgruntled programmers.
    >
    > Confederations between these people and the ubiquitous spammers are also a fast buck for these criminals - installing proxies, spam relayers, "bots" and other utilities which turn YOUR machine into a zombie, stealing your bandwidth, and possibly getting you in serious trouble with your ISP are just another income flow for computer criminals. There's also another "robbery" method called "dialers" which drop your internet connection, and then use your modem to dial out to overseas telephone numbers for hundreds of dollars on your phone bill for a couple of minutes worth of hijack to you. And they split the money with your telephone company. Sage bit of advice - if you're on broadband, NEVER leave your vestige of a modem plugged into the telephone line. Pull that plug!
    >
    > Peer-to-peer networks for "file sharing" are the ultimate breeding ground for these nasties. The "criminal mind" says, "if they're stealing software and cracks and music, they THEY'RE criminals and so it's OK for US to rip them off too." In fact, a few trojans we've seen were planted by commercial interests as a "revenge tool" for those who "steal" music, movies and other "intellectual property" from such sites. And then there's the porn scammers who hijack machines to USE as porn sites. YOUR machine could be a porn site and it happens frequently.
    >
    > The bottom line is the internet has become a toilet. It is overrun by scammers, criminals and others who fear no prosecution because there isn't any. And they're using sophisticated programming, and the talents of many very talented but unemployed or underpaid former "internet whiz kids." The cards are stacked against the public. And the "usual solutions" (as Merijn realized) are just too much work for hobbyists and would-be future Bill Gates types to endure for very long. And those shareware and freeware authors aren't keeping up. They just don't have the resources.
    >
    > And now, the antivirus makers are trying to reach into this "market" as well with the now 30 year old "file scanning" technologies that simply don't work. The criminals have the tools and the talent. The amateurs and newcomers simply don't. And highly sophisticated techniques of avoidance of detection are the realm today. We routinely check the various trojans we've collected against other products and the detection rates are pitiful. Were it not for almost a decade of experience with hard core trojan authors, we'd probably be hard pressed to keep up as well. It's a difficult and formidable task which requires the commitment and resources of professionals.
    >
    > Each day brings dozens of new malware releases. CWS and IST update their malware EVERY day. Same for others. When we first got into what we do with BOClean, it was perhaps 50 new trojans per year. Now we see that many brand new, unique trojans in a single day as we go through hundreds of new sightings of variants daily. And we have our own internal "file scanning tools" by which we pre-check what comes into our labs. RARELY does a file scan indicate "we've seen this before." Only when it's fed to BOClean do we realize that although it's a completely different file, it's merely a variant of something we already cover.
    >
    > File scanners don't stand a chance. This is no longer a job for shareware, and hasn't been for quite a while. Despite having antiviruses, firewalls and "spyware scanners" we still have a situation where 7 out of ten computers are infected and only a FEW of those infections are actually detected and removed. Unless you have BOClean.
    >
    > Unlike file scanners, which get used way too late - BOClean is there to automatically stop, defeat and remove malware NOW. Not after it's too late, and not after days of waiting for HijackThis log resolution, only to find out that it was a keylogger or a rootkit that bit you. BOClean works NOW, instantly. It's the best defense for you and those you care about.
    >
    > HEAVILY BIASED TESTING
    >
    > This really isn't fair since we're a "vendor" but since other anti-malware vendors like to compare themselves to BOClean, we did a fast random sampling against some other programs with the catches we collected between May 10th, 2005 through the 13th. The test sample was based on a random selection of 100 of over 900 collected items in no particular order and done on the morning of the 13th. Distribution of samples was 33 from each of the three days including hijackers, keyloggers, and "bots" plus one additional nasty from the 10th to make it an even "100."
    >
    > BOClean - 100 of 100 (their last update - 05/13/05)
    > Kaspersky - 42 of 100 (their last update - 05/13/05)
    > TDS3 - 37 of 100 (their last update - 05/13/05)
    > AVG - 6 of 100 (their last update - 05/12/05) *
    > Ewido - 5 of 100 (their last update - 05/13/05) *
    > Symantec - 4 of 100 (their last update - 05/11/05) *
    > TrojanHunter - 1 of 100 (their last update - 05/12/05) *
    > A2 Personal - 0 of 100 (their last update - 05/09/05) *
    > AdAware SE - 0 of 100 (their last update - 05/10/05) *
    > Avast - 0 of 100 (their last update - 05/12/05) SpyBot S&D - 0 of 100 (their last update - 04/27/05) *
    > McAfee - 0 of 100 (their last update - 05/12/05 - beta 05/13/05) *
    > MicrosoftMSAS- 0 of 100 (their last update - 05/12/05) *
    > NOD32 - 0 of 100 (their last update - 05/12/05)
    > PestPatrol - 0 of 100 (their last update - 05/05/05) *
    > Sophos - 0 of 100 (their last update - 05/13/05) *
    > SpywareBlast - 0 of 100 (their last update - 05/10/05) *
    > SpySweeper - 0 of 100 (their last update - 05/12/05) *
    > Tauscan - 0 of 100 (their last update - 05/12/05) *
    >
    > The tests were performed by an associate, and obviously the results are not reliable since the testing was based on samples submitted to us (as well as all OTHER vendors) by one of our own "spotters" who chose the samples and performed the test. Naturally, we would have a 100% score given that we update as soon as possible. Compare to other vendors that you depend on however. Dates displayed were those reported on DSL Reports' latest update list as of this writing.
    >
    > * indicates that the product was disabled by one or more samples tested in the course of evaluation. After the failure, products were restored prior to continue testing ... no disruptions of protection were counted in the total scoring of efficacy. Disabilities were the result of successful process termination by malware under test.
    >
    > We have partnered with Uniblue to bring you this special offer for the new and significantly improved version of the award winning WinBackup 2.0 Standard!
    >
    > In the last few years the rising number of threats that can wipe out all your valuable data in an instant has made backup software the only solution that offers you complete peace of mind. With this in mind, we strongly recommend you to take a look at WinBackup 2.0 Standard, one of the leading software for data protection!
    >
    > This week, in close partnership with Uniblue we are proud to give you one of the best offers of the year and help you secure your data in minutes!
    >
    >
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
Thread Status:
Not open for further replies.