Trojan

Discussion in 'Trojan Defence Suite' started by dallen, Aug 12, 2004.

Thread Status:
Not open for further replies.
  1. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I am concerned that TDS might not be doing the job. I recently obtained a copy of the new Ad-aware SE Professional and scanned my computer. Right away it detected an item called "Win32.Delf.Trojan.A"
    Here is a link to the "Threat Assessment Chart" of the trojan according to Lavasoft:

    Threat Assessment Chart

    Why was this item overlooked by TDS-3 many times? TDS-3 is being touted as the best anti-trojan software on the market (and I believe it is), but it's discouraging to see an anti-spyware software catching trojans that TDS-3 is missing. o_O
    __________________
    "Threat Assessment Chart" is taken from Lavasoft's website. Lavasoft's home page can be found HERE
    ***Lavasoft reserves all rights to the material on their website***
     
    Last edited: Aug 12, 2004
  2. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Hi,

    Where did Ad-Aware find it, in your Hosts file?
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    There have been many reports of similar findings on various security forums since the new Ad-aware came out. For example...

    http://www.lavasoftsupport.com/index.php?showtopic=41101

    Search that thread for the malware you found, "Win32.Delf.Trojan.A", and you'll see what this is and what they say about it.

    Lavasoft states: "The people that have been saved from this really appreciate the fact that we detect them as "Possible's". If you know they are there and have put them there intentionally, the word possible comes into play here and therefore they are not false positives."

    Over at DSLR there is this about the findings on Hosts files (so far)...

    http://www.dslreports.com/forum/remark,11020464~mode=flat

    You'll have to decide for yourself if you want TDS-3 to "find" things like this and tell DCS what you think.
     
  4. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    gerardwil,
    This is what I've found out about it:
    So I think to answer your question:
    I think the answer is yes, but I'm not sure.

    LowWaterMark,
    I am about to read over the information you sent me and I'll comment on it soon, but thanks ahead of time.
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Dallen,

    I don't think TDS-3 has missed anything in this case, and if you scan with your anti-virus scanner I'm sure you'd get the same results (no alarms), because like TDS-3, your virus scanner wouldn't tell you about your Hosts file having a particular line in it, so this isn't a TDS-specific issue. We could add Hosts file monitoring to TDS4 but haven't had any requests for it.

    Can you please check your Hosts file for me - can you see an entry for "127.0.0.1 only-virgins.com", or ... ?

    If you really were infected with Delf, then yes TDS-3 would definately detect the file (and that's the main issue) - but I note that the scanner you used seemingly hasn't detected the Delf file on your disk, so all you're going on is 1 alert by 1 scanner which hasn't even identified a file, just a possible line in a file - not really enough information to go on to say "Yes that's definately an infection that all scanners should detect", wouldnt you agree? :)

    Regards,
    Wayne

    PS. If I'm not mistaken, TDS3 detect more variants of Delf than any other scanner:
    Code:
    Adware.Delfin.a                                   
    Adware.Delfin.b                                   
    Adware.DelfinMediaViewer.a                        
    Adware.DelfinMediaViewer.a Dropper                
    Binded.Delf.aa                                    
    Binded.Delf.ab                                    
    Binded.Delf.ac                                    
    Binded.Delf.ao                                    
    Binded.Delf.l                                     
    DLL.Adware.Delfin.a (dll)                         
    DLL.Adware.DelfinMediaViewer (dll)                
    DLL.Adware.DelfinMediaViewer.a (dll)              
    DLL.RAT.Delf.co (dll)                             
    DLL.Trojan.Win32.Delf.cf (dll)                    
    DLL.TrojanClicker.Win32.Delf.ab (dll)             
    DLL.TrojanDownloader.Win32.Delf.bn (dll)          
    DLL.TrojanDownloader.Win32.Delf.df (dll)          
    PSW.Delf.at                                       
    PSW.Delf.cf                                       
    PSW.Delf.ck                                       
    PSW.Delf.ct                                       
    PSW.Delf.do                                       
    PSW.Delf.l1                                       
    RAT.Delf.ag                                       
    RAT.Delf.c                                        
    RAT.Delf.cc                                       
    RAT.Delf.cu                                       
    RAT.Delf.cu Dropper                               
    RAT.Delf.ii                                       
    RAT.Delf.mm                                       
    RAT.Delf.n                                        
    RAT.Delf.nj                                       
    RAT.Delf.nj (Unpacked)                            
    RAT.Delf.oy                                       
    RAT.Delf.ps                                       
    Trojan.Win32.Delf.aj                              
    Trojan.Win32.Delf.av                              
    Trojan.Win32.Delf.ba                              
    Trojan.Win32.Delf.bg                              
    Trojan.Win32.Delf.by                              
    Trojan.Win32.Delf.ca                              
    Trojan.Win32.Delf.cf                              
    Trojan.Win32.Delf.dq                              
    TrojanClicker.Win32.Delf.f                        
    TrojanClicker.Win32.Delf.r                        
    TrojanClicker.Win32.Delf.v                        
    TrojanClicker.Win32.Delf.x                        
    TrojanDownloader.Win32.Delf.br                    
    TrojanDownloader.Win32.Delf.ch                    
    TrojanDownloader.Win32.Delf.dd                    
    TrojanDropper.Win32.Delf.bo                       
    TrojanDropper.Win32.Delf.br                       
    TrojanProxy.Win32.Delf.a                          
    TrojanSpy.Win32.Delf.bc                           
    TrojanSpy.Win32.Delf.i                            
    Worm.P2P.Delf.t
     
    Last edited: Aug 12, 2004
  6. dallen

    dallen Registered Member

    Joined:
    May 11, 2003
    Posts:
    824
    Location:
    United States
    I have only begun sifting through the information that you sent me, LowWaterMark. It has become apparant to me that this wasn't nearly as bad as I had originally thought. Thank you.

    Wayne - DiamondCS,
    Don't forget this part of my statement:
    That belief is what caused me to be so surprised when AAW detected the "trojan." However, now it is obvious that it was essentially detecting the name of a trojan that was contained within a "hosts" file. I'm still a little confused about what the host files do.
    Yes, I agree.
    Actually, I restored all the files I've deleted with Ad-aware. Then I checked the Hosts file and found that item present. The odd thing is that it's the only item that comes after the "# End of entries inserted by Spybot-Search & Destroy"

    TDS-3 and its makers,
    Please accept my appology. Thankfully, I was wrong in thinking for a moment that your software missed something.
     
    Last edited: Aug 12, 2004
  7. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Here's a good introduction to the hosts file: Blocking Unwanted Parasites with a Hosts File. A well-managed (meaning updated) hosts file provides an additional layer of security. Since I use MVPS's hosts file, I have set Ad-Aware to ignore the hosts file when scanning.

    Nick
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Well, thats a bad detection to begin with - since the HOSTS file entry points to 127.0.0.1 ! So its placed there to make sure you dont get to the REAL website, thats why it was added. Seems like a detection which could be prevented if the HOSTS entry is 127.0.0.* :)
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    I can confirm that the latest AA SE Pro Defs do not show the false positive:
    Reference Number : SE1R3 12.08.2004
    Internal build : 3

    HTH Pilli
     
Thread Status:
Not open for further replies.