-- Teaser: Why size doesn't matter! --

Boys ... this may be good news for you

We @ Scheinsicherheit have a special taste and do not believe that the sheer size is decisive. We are neither impressed by Eugene's giant size nor are we stunned because Tobias' size is rapidly increasing. And we do not pity Kevin for his small size.

Why is that? Isn't size the most important thing? Doesn't a big size make you happy? Well, it depends. If you are interested in a replicating standard performance and do not ask too many questions a big size may be o.k. for you. But we @ Scheinsicherheit are quite demanding and ask for an outstanding, individual & non-replicating experience.

For this reason, we plan to invite Eugene, Tobias, Magnus, Wayne, Kevin and many others to an exclusive party. In the course of such party we will hopefully convince Magnus to disclose one of his best kept secrets:


Moreover, we plan to ask Tobias to dump a load of sigs right in our hands:


And we should also have the means to get from the other guys what we really want ;-)


In other words, we hereby announce our plans to peform a "Scheinsicherheit Signature Quality Evaluation Series" that will inform you about the quality of the signatures used by various AV/AT developers for the detection of malware samples: we would like to explain to you various criteria that can be used in order to determine the quality of the signatures contained in a signature database, e.g. the number of sigs used per sample (cumulative or alternative?), the location of the sigs (code section, resource section etc.), the sig size (the smaller the better ;-), the type of the sigs (code-based vs. text-based) and the strenght of the sigs (rebasing-proof?, hex-proof?, patch-proof?, ep-proof?, redundancy?). Moreover, we would perform several spot-checks with respect to a number of popular scanners and publish the results.

Unfortunately, such Signature Quality Evaluation Series would mean a lot of work for us. Therefore, I would like to figure out whether people are actually interested in such kind of qualitative (not: quantitative) test. Please let me know.

(Disclaimer + "calm down notice": We do not plan to disclose any "secret options" for Ewido. We do not intend to distribute the TH Admin Patch. And we do not plan to dump and distribute any other scanner's signature database.)

Screenshots removed by request. Ron

 

I would love that!!!

this could give a lot of perspective on how good an at really is.

looking forward to see the result.

 

Would be very informative. Yes, please

 

YES....YES....YES!!

 

I'd like to see such tests run, also - but I have a question.

Does the signature quality have anything to do with how well a given program is going to be able to detect variants of whatever the signature was written for?

I ask because - more and more - I'm seeing the following statement being given when someone gets slammed with something new - "Hi ____ does detect the (worm/Trojan/keylogger) you named. BUT you may have a variant. If you can find the file please zip it up and send to submit@..."

This doesn't do a whole hell of a lot of good for the person affected by the "variant" (although I guess it helps the Internet community as a whole after a new definition goes out - assuming the zipped file is sent - still able to be sent - properly received and acted upon. A lot of assumptions there).

Actually, the whole scenario leads me to question whether (given the increase of easily-modified malware) signature-based stuff is effective at all anymore, for anything except old threats.

And to question whether your "Signature Quality Evaluation" will be of any more than academic interest if signatures - period - simply aren't cutting it anymore. Pete

 

I guess that why's they are going to study

 

ok, the pics are gone...I want to see the pics

 

and out of curiosity, why are they removed

Magnus allready told this isn't interesting for an end user (??) so why removing?

the same goes for Ewido picture.

can you explain Ronjor Please?

 

Perhaps Wilders doesn't want to condone reverse-engineering of security software and then publicly posting screenshots of the deed. Stuff like that - never mind that it is in violation of the license agreement of most software - does not belong on a serious security board. What would you say if they had posted a how-to guide on patching files so that they become undetected by KAV? It basically amounts to the same thing.

 

message clear Magnus, no prbs.

no I wouldn't like that guide on this board

 

The site linked to in the first post has some very interesting stuff in it, if no one's bothered to look. (I was especially tickled to see that programs like TDS-3, NOD32 and EWIDO did so well in their variants test: http://illusivesecurity.funpic.de/viewtopic.php?t=56 ).

And you can't really blame people for being curious about "hidden" functions in any "security"-related program they're using - the whole concept of "hidden" functions in trusted security programs being enough to send chills up anyone's back. Pete

 

Interestingly enough, the original screenshot was of the licensed version of TrojanHunter 4.0 (not 4.1). It had an admin menu which contained functions such as "list the most recently added trojan definitions" etc. That menu has since been removed since it is of no use to a regular user. Anyway, I trust that any tester would use either the trial version or a fully licensed, unpatched version when testing any program as I don't see how you can justify tests with patched versions of security software.

 

@Magnus

1.
"Interestingly enough, the original screenshot was of the licensed version of TrojanHunter 4.0 (not 4.1)."

I am not sure. TH 4.0 and 4.1 were installed in the same directory. Both versions are different. The admin menue of TH 4.0 contains 5 entries. The admin menue of TH 4.1 contains only two entries. But this does not really matter. For our purposes, the most important thing is that you can access the signature database. Moreover, you can determine and evaluate the way signatures are created.

2.
"Anyway, I trust that any tester would use either the trial version or a fully licensed, unpatched version when testing any program as I don't see how you can justify tests with patched versions of security software."

It seems that there is no reason to believe that the patched version will work differently. As a precaution, however, the tests will be performed with an unpatched trial. The patched version will only be used to reconfirm that we correctly determined the signatures. O.k.?

3.
"doesn't want to condone reverse-engineering of security software"

Reverse-engineering is considered illegal in several jurisdictions. We do not admit that we have reverse-engineered TH. Moreover, we do not admit that we have patched TH. (This is because also patching may be illegal.)

For exactly the same reason I expect AV/AT software developers not to admit that they reverse engineer software EVERY day and could thereby act in an illegal manner ;-) We also expect certain AV/AT software developers to deny the fact that they use a disassembler in order to extract signatures from a file...

Moreover, most security advisors will deny that they reverse software in order to determine whether it has security flaws or not.

All of the above may be illegal. Btw. ... did you know that Microsoft used pirated software in order to code Windows XP? ( http://madpenguin.org/cms/?m=show&id=2923 ... )

4.
" I don't condone the activity of these guys. I think I know now why they have never revealed their true identities and operate under pseudonyms." (see http://forum.misec.net/board/TrojanHunter/1107356159 )

You are correct. One of the reasons why we use pseudonyms is to protect ourselves. Not only AV/AT developers but also testers are sometimes required to cross the borderline. For example, you may be required to download and use a cracked & modified crypter in order to determine whether it is supported by a scanner's unpacking engine or not. You may also be required to download a cracked signature database in order to determine whether a rumour is true or not.

5.
I therefore believe the most important question is not whether any laws are violated but whether we do the right or the wrong thing by disclosing the fact that TH features a "secret admin mode". I have carefully considered the pros and cons of such disclosure and came to the conclusion that the pros outweigh the cons.

Cons:

You will get angry with us.

Competitors may start to closely examine TH and (again) make up "Madshi stories" etc.

TH sales might be indirectly affected.

Bad people may try to figure out how to enable the admin mode and then dump the signature database.

Pros:

The use of the admin patch will not only allow us to figure out a few TH signatures (we could also use a file splitter for this) but we will also be able to inform people whether TH's method of signature creation is flawed or not.

Consumers will be warned that security software developers include hidden options that facilitate the extraction of signatures.

You and other developers may ask themselves how serious they take the term "security".

You and other developers may be forced to remove hidden options etc. from public versions of security software.

Against this background, we have decided to disclose the fact that AV/AT software developers act negligently and provide for such hidden options etc. However, we will not tell people how to enable such hidden features.

6.
"What would you say if they had posted a how-to guide on patching files so that they become undetected by KAV? It basically amounts to the same thing."

We did this indeed ( http://scheinsicherheit.mirrorz.com/example.htm ). However, we informed Kaspersky many many months in advance. Moreover, we did not publish this trick before it became common knowledge in the trojan scene.


@all

Full disclosure: we have been contacted by an AV/AT software developer. Such developer has asked us to postpone the test of such developer's scanner because a significantly improved version will be released in about four weeks. We have replied that we will postpone the test of such scanner (but not for an indefinite period of time). This is because customers will not benefit from a test of an outdated version.

 

You can test TrojanHunter's signature strength all you want - I welcome you to. TrojanHunter 4 uses strong code-based signatures. However, using a cracked version of TrojanHunter with an applied patch and then publicly posting about this fact to try and make TrojanHunter look bad is just very unprofessional. Couple this with the fact that you have never revealed your true identity and I think you will find that very few people will take you seriously.

 

Since we have not yet performed the test it is still open whether we will come to the conclusion that TH's sigs are of a high, medium or low quality.

Moreover, I do not think that TH would look THAT bad if you simply said: "Admin mode will be removed in the next public version." Please also note that we did not merely criticise TH but Ewido as well. (Btw.: Also Tobias sent an email to us but did not complain ...). Other AV/AT developers are also suspected to use hidden options.

Why don't you simply admit that it was a very bad idea not to remove the admin mode from the public version? The problem can be easily solved ...

 

There is nothing "secret" or mysterious about this mode. You are just trying to focus attention on this in order to not make people focus on the methods you use when you examine software. What exactly are you saying is bad about a menu that contains things such as "Copy a list of the last added trojan names to the clipboard" and "Copy a standard update notification message to the clipboard"? Nothing! TrojanHunter has always had an open-rules format that allows users add their own detection rules so I don't see why you are trying to attack this feature now when you could have done so many years ago.

Anyway, it's interesting that you will now be using the trial version to conduct your test. I would have thought you would use the license you have already purchased given that the screenshots you posted were of the licensed version of TrojanHunter.

 

@Paul

"fact remains you have been reverse-engineering"

You first statement ("Personally, I do believe there is a distinct difference between reverse-engineering and posting screenshots.") came much closer to the truth.

"Second: I for one am fully in the dark as for what you are trying to prove here. The fact that signatures are/can be weak is an old, well known story - Eugene Kaspersky is aware of this and all other minor/major companies in the business as well. Question remains for what reasons you are sort of re-inventing the wheel/digging up an old story. Beats me ."

The idea is to determine whether there are at least a few scanners which do NOT use weak signatures. If this were the case it would be possible to recommend such scanners for the detection of non-replicating malware. Makes sense? Moreover, it may well be the case that different scanners suffer from different weaknesses. In such case, a combination of several scanners could significantly improve security. Our test would help to figure out suitable combinations.

 

@Magnus

We have "attacked" prior versions of TH because of the "open ruleset" concept which facilitates hexing/patching/modifying of malware. See http://scheinsicherheit.mirrorz.com/th.htm : "Last but not least ruft TrojanHunter geradezu dazu auf, seinen RAM Scanner durch modifizierte Trojaner auszutricksen, indem die verwendeten Signaturen frei zugänglich gemacht werden (siehe nachfolgender Screenshot mit einem Teil der Signatur des Bionet 3.18 Trojaners").

We have stopped to attack TH after the new version was released and the "open ruleset" concept was abolished. (At least that's what I thought.)

Now we may attack TH again because the admin mode can be used to re-enable the "open ruleset" concept. Similarly, we have attacked BOClean for not encrypting its signature database. With the release of BOClean this problem seems to be solved.

"What exactly are you saying is bad about a menu ..."

The real bad thing is not the admin menu but the Ruleset/Save Rules to Textfile menu. This is because such option will dump the NEW (possibly) strong, code-based file sigs. I thought that they are not supposed to be dumped. Correct? If I am mistaken and also the non-patched version allows dumping the ruleset there is no big problem at all. In such case, I do not understand why you are upset that we mentioned the existence of the admin mode.

 

TrojanHunter has always had an open ruleset and this has not changed in the latest version since the user can still add/edit custom detection rules. You are again just trying to divert focus from your testing methods. Every scanner that is out there has the ability to read its own signature database and there is nothing in the world that is going to change that. If you want to make people believe that this is not the case then all you may be able to do is convince some uneducated users that this would be more "secure". However, your constant attacks which anyone with a bit of computer knowledge can tell is complete rubbish is actually making me consider removing custom detection rules entirely from the next version of TrojanHunter. This would not make TrojanHunter one bit more secure, it would just please people like you and those who are uneducated, but the time it would save in having these debates might actually make it worth it.

 

And let's make another thing clear. I am not against you testing TrojanHunter or evaluating its signature quality. What I am against is you blatantly violating the TrojanHunter license agreement and using cracked versions of the program and then posting about it in public. Your testing methods are wrong and like I said nobody will be taking you seriously as long as you continue testing this way.

 

"There is a distinct difference for sure - but that's not the issue. Truth is, it's impossible to post such a screen shots without reverse-engineering. You know it, I do know it - we all do. So let's not beat around the bush here. Fact remains: it's illegal - and we both know it."

Not correct. As you correctly mentioned in your first post it's completely open whether we or a third party reverse-engineered TH. The same applies, for example, to the cracked TDS-3 signature database or Senna Spy's AVP Offset Generator. We also did not crack TDS-3 nor did we code AVP Offset. But we told people about it.

"Rubbish. Following your route, for example KAV uses weak signatures. This implies you strongly advice not to use Kaspersky. Just an example - KAV can be exchanged by others as well."

Not entirely correct. I do not recommend to EXCLUSIVELY use KAV. Because of KAV's many flaws you should use an additional scanner for non-replicating malware. In such case you can benefit from KAV's strenghts (comprehensive signature database, good static unpacking engine) and (partly) compensate its many weaknesses.

"And to me, it surely looks like that's where you're heading."

Please explain.