tron.zip Detection

Discussion in 'Trojan Defence Suite' started by Bouch, May 30, 2002.

Thread Status:
Not open for further replies.
  1. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    Greetings all.

    I downloaded tron.zip fron here: http://www.xxx.com/trojans/tools/remote/

    URL refers to trojan download and has been altered for that reason - Forum Admin

    The following is the brief description provided at this site:

    I scanned tron.zip with TDS-3 and it detected nothing; however, when I unzipped tron.zip, TDS-3 positively identified tronserver.exe as "RAT.tron". Since I also have licenced versions of both Tauscan and Trojan Hunter (both are latest versions with data bases updated today), I scanned the unzipped file with them. Both Tauscan and Trojan Hunter failed to identify tronserver.exe as a trojan. Please feel free to draw your own conclusions.

    This may seem picky; however, how come there was no detection of the zip file? tron.zip downloads to Windows/Temporary Internet Files. I scanned Temporary Internet files with zip files checked in TDS-3, and tron.zip went undetected. Obviously, I'm missing something.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You surely must be missing something.

    So are you sure you have the latest Radius databases of over 14061 references now and all scan options --inhcluding the zipped-- checked?
     
  4. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    Thanks Paul and Jooske!

    You're right, of course. I'm still on a steep learning curve with TDS-3. I deleted the unzipped folder containing tronserver.exe and tron.zip from Windows/Temporary Internet files. When I then did a full system scan, TDS-3 made a positive identification (in archive) of tronserver.exe in C:\download\tron.zip. Good stuff. TDS-3 ... what a hunk of software!!!

    Bob
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I got the download for scanning it and like the screenshot above in Paul's posting.
    I wonder if this is the same or equal tool as another "advertised" these days (potext), must read the advertisements better for better impressions.


    And TDS is going to be even better.... she whispered respectfully...
     
  6. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    A properly updated Trojan Hunter apparently does recognize it.

    Take a look at this thread

    I downloaded the compressed file, and both NAV and NOD32 not unexpectedly declared there was nothing wrong with it.

    Being chicken, I didn't feel like experimenting with it in order to find out whether BOClean might detect it wehen it became active.
    I did write to Kevin to inquire whether they knew about this one.
    I'm sure it'll turn up in the forthcoming trojan definitions, though.
    They're usually pretty fast.

    I admit I'm tempted by TDS-3, although I am a little scared of being blinded by science when using it.  :D
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Tony,

    Indeed Magnus did put a database update available (see under "update alerts" forum here) regarding TrojanHunter. he did get a copy somewhat later as it seems.

    Quite true: NAV, NOD32 do not catch the nastie - yet. In essense, AVs should be superb in their job, and ATs in theirs. Relying on an AV in order to catch trojans is not providing the needed security in general.

    Keving will update de BOClean database; no doubt about that.

    As for TDS and the learning curve: Upcoming new v4 comes in different flavours, "easy ones" as well.

    regards.

    paul
     
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hi Paul,

    I know about the AV's, but I just thought I'd try them on this trojan in order to find out what they'd say.

    I'm happy using BOClean, but every now and then I think it would be nice to have a good on-demand scanner as well.

    Mind you, not that I feel unprotected running these three apps.
    I'm quite a prudent, run-of-the-mill computer user really, and I don't go looking for danger.
    As a matter of fact, I can't even remember an occasion when BOClean had to jump in to save the day.

    I just get your run of the mill Klez, Loveletter, Magistr thingies,  and nothing really exciting ever comes my way, I'm sorry to say (NOT?)... :D

    But about TDS-3, even without using 90% of all the options, I take it you can hopefully just scan a file or scan a drive without having go through the entire user manual first?

    And I also assume that TDS-3 users are entitled to a free upgrade to TDS-4 when it's issued.

    If that's the case, I might well give it a try.
     
  9. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Just because it's got bells and whistles, you don't have to be musical....
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Ha!  :D

    And I just might feel like taking music lessons in the future, of course... ;)

    Meanwhile, about this trojan,  I mailed Kevin at BOClean support about it, and I got this response:

    Needless to say, already covered in BOClean's update overnight ... I took a look at it myself. Heh. What a *LAMEASS* pile of ... ummm.

    Doesn't even have an "explorer" so the kids can waft around the disk, a number of really poorly crafted "tools" and of course the obligatory "shut down a few firewalls" but unlike what we're seeing out there that really IS a threat, this one doesn't replace their screens with new ones inside the trojan so you never know your protection went poof on you. Nor does it have the "spot-killer" which repeatedly hammers away at any attempts to restart same (assuming it wasn't completely destroyed and all hooks to go back to the vendor's site and get fixed up again are gone and blocked below the winsock) ... in the greater scheme of things that we deal with day in and day out, this one's pretty pathetic.

    But we covered it anyway like so many other pathetic toys. Thanks much for turning it in.  :)
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Music from TDS?
    Yes!
    some scripting, at least you must have heard it singing "happy birthday to you" in one of the scripts, and yes, you can set up something to make it singing on your birthday. And you can use the jukebox script.
    For the scanning was one easy configuration script as well, posted it even in one of the threads over here, i'm working on a HTML / vbs version to make it more easy and voice controlled, so what you know already to configure under the configuration tab, to put the sockets on automated and to configure the scan at wish with all you like to scan, including your whole network and your neighbors and people in the chatbox you're visiting, whatever you like and remote controlled from your wireless phone maybe if you like, yes it's all there, but not in that script :)
    More explanations in the helpfile, which is a real interesting manual, with screenshots, explanation everywhere, and it seems to be growing all by itself, discovering more each time when searching something.
     
  12. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Dank je, Jooske (yes, that's right, yet another Dutchie here... :D)

    Well, I've started by downloading the helpfile, and as soon as I've memorized that,  I'll fearlessly dive into the deep end, and maybe download a trial version.

    I'll keep you posted!

    Cheers,  Tony
     
  13. FanJ

    FanJ Guest

    Hey Tony,

    You will not regret it; as you know I too run the excellent combo TDS-3 - BOClean (one for on-demand, one for resident).
    (BTW: you were not the only one who sent it Kevin  ;) )

    Groetjes, Jan.
     
  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The helpfile is of so much more help with TDS if you can see what you're doing and hear, taste and sniff it and just do it :)
    There are some screenshots in the manual.
    Don't even pretent to ever learn it all by heart, as over 300 pages and a still growing number and all you can renew with the new version, etc etc. I just know where to find it if needed and i enjoy the new finds when digging again.
    By that time, imagine, i'll have to renew several scripts and wave files, where it explains TDS-3 and "Welcome to TDS-3" etc etc etc
    But by that time you'll wanting to be able to play "jingle bells" scripts you discovered by long you need a registered version for that, in the meantime discovering so many reasons why you don't even want to consider to be any single day without your most preferred and beloved program and the whole registered operators family with that, and the many more options a registered operator has..... or would you really like to study the TDS-4 manual first to hurt yourself any longer with all the gems and diamonds you don't have that moment?
    Ahhh TDS............... what a gem !
    Wished i could include some nice sexy TDS screenshot of some configuration or a trojan detection, whatever.
    Pssst: some script includes my voice!

    This was about tron, i remember, ok, TDS does detect it very well, as we see Paul's screenshot as well.

    Lots of Fun with your TDS manual study! I prefer it digital.
    Lof lof :)
     
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Well, you guys almost managed to convince me already, I must say.

    The promise of hearing Jooske's voice alone already makes me feel like rushing out and buying the product, skipping the trial version altogether!  ;)

    When is TDS-4 scheduled to be presented to the hungry masses?

    If it's only a month or so, I might wait for the latest and greatest.
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    No reason to wait for that either, as we beta testing team are not in the stage of beta testing the whole product yet, nor do we really know details.
    And: upgrading will be free of charge, so why wait?
    I always love to play around and see the new toys included. Or maybe a whole reorganisation of all there is, extra tools, different ways........
    You might like to look once you're there getting the TDS trial the WormGuard trial as well.
    The registration doesn't cause new downloads, only including the keyfile which diamond key will unlock some former limitations to even more functionality, like the exec protection and being able to run all the scripts and other things Wayne might not have told us.
    Take your time and have a nice look at it, as the trials are for free, even if you don't download them via my hop-clickbank URL :) which i don't post here <<wide grin>> just click www.tds.diamondcs.com.au and enjoy the real world of security the happy way.
    Happy? Yes, because we are in the drivers seat and there's always nice family members in the passengers places around. That's what we have the TWO forums for, and not to forget the large educative manual and euhm.. TDS itself waking us up with friendly calling our name and some tips of the day, etc etc etc etc and whatever we have it doing beside the original included tasks via our own scripts!
     
  17. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Thanks Jooske,

    I'll probably down TDS-3 in the course of this weekend.

    I may even purchase it right away, as I'm convinced that if I'm to go for an on-demand anti-trojan, there's probably no need to look any further than TDS-3, with all its configurable bells and whistles.

    As you see, I've become a believer already...;)

    I'm interested in Worm Guard as well, but good grief, does one really need Nod32, NAV, BOClean, NIS, TDS-3 and Worm Guard.
    And yes, I know it's a superior product, but what if I'm never going to get to use it because all my other stuff clobbers the occasional nasty first.

    Let's start with TDS-3, and we'll see what we'll do after that.

    Groetjes,   Ton
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again Ton,
    NIS and WG 3 don't go well together, but v4 won't be a problem i guess/hope. We are promissed TDS and WG 4 will make of other developers green with envy and jobless, as well will be their products i might suppose with that.
    Girls like diamonds, so i like to use all of their gems
    http://www.diamondcs.com.au/web/img/diamond.gif     http://www.diamondcs.com.au/web/img/dcslogo.gif
    and boys like girls, even more with diamonds, so a perfect combination, isn't it?
    As we know the DCS gems are top of the security business we keep laughing and happy, discovering new abilities, even in our own scripting!
    Leuk he?:)
    Groetjes,
    Jooske
     
  19. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    :)

    Jooske,

    Are there known issues with NIS and TDS-3 that you're aware of??
     
  20. FanJ

    FanJ Guest

    As far as NIS 1.0 is concerned: none.
    With respect to the newer versions: AFAIK: no
     
  21. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Thanks!

    I'm running NIS 4.0, but as I'd use TDS-3 strictly for on demand scanning,  I don't think anything much could happen that I wouldn't be able to correct by disabling NIS for a moment.

    You can probably count on me being a frequent visitor to the TDS-3 board.

    I can only advise everyone there to brace themselves for a lot of stupid questions... :D
     
  22. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Which of the TDS-3 boards Tony? This Only Official Public DCS / TDS Forum or the Registered Operators Only Private Forum.
    I'm in both frequenting :)
    You know, we love stupid questions, as the only stupid questions are the one's not asked at all, so we can all learn from them and from all the others which are asked even more all together!
    Looking forward to learning lots more!
     
  23. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Ya stupid questions are good because they make us look smart when we know the answer. Smart questions are sometimes bad because they are often too hard to answer ;)
     
  24. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    This one, I guess, as it's the only one I'm aquainted with.

    Besides, I "do" 2 Dutch and 5 American boards, and I'm not really looking to add any more to those (for the moment, that is... :D)

    No prob: I'll try to avoid the smart ones, then...  :cool:
     
  25. Bouch

    Bouch Registered Member

    Joined:
    Apr 14, 2002
    Posts:
    26
    Location:
    Toronto Canada
    Tony, just for the record, at the time that I performed the scan with Trojan Hunter, TH was "properly" updated in the sense that all updates available at that time were installed. Magnus had yet to issue an update that allowed TH to detect tronserver.exe. By the way, IMHO Magnus is justly deserving of a hearty "atta boy" for releasing the update within two hours of the file's submission. As of now (well, about 5 minutes ago), Tauscan has yet to be updated to detect this trojan.

    While I certainly understand why this action might be taken, it didn't seem out-of-line for me to provide the link. It appeared in the DSL Security Forum and, as of this moment, it still appears there unaltered. I used Tauscan for about two years before significantly upgrading my AT to TDS-3 and, in all that time, it never detected a single trojan on my system (unlike NAV in the case of viruses). Now it might appear that I'm bashing my own good fortune but not at all. Because it never detected a single trojan, there was always this lingering doubt in my mind as to whether it was effectively doing its job. Because I was able to download this trojan and watch TDS-3 detect it in short order (while others failed to do so at the same point in time), I am now convinced that TDS-3 is effectively doing its job. I now know that I made a worthwhile investment when I became a licenced TDS Operator. It was a realization that I wanted other TDS users to experience. In some ways, I wish that there was a test bed of trojans (modified so as to be rendered harmless if that's feasible) for this purpose. Regretably, if there is such a resource, I haven't been able to locate it. Regards.  
     
Thread Status:
Not open for further replies.