robert_K
Newbie
Gender: 
Posts: 5
|
 |
Re: Failed test of DLL injections. (???)
« Reply #2 on: Dec 12th, 2005, 5:07pm » |
 Quote  Modify
|
Thank you for answering!
Just today I did my 2 week scan routine – and found some interesting results referring to the topic.
TH – make detection to following file: FireDLL.dll and describe it as Trojan: “TrojanNotifier. Fire 100” (detection is a Leak Tester coming from link posted in previous post)
Almost all scans which I did (Ad-aware, Spybot, Ewido, AVG, Tenebril’s SpyCatcher, onlines: Kaspersky, SpywerInfo, Pest Control, Panda) made similar detection usually to various and different combinations of 2-5, out of 15 testers.
Most explanations (with exception of TH), classified programs (in various words) as “probes reporting vulnerabilities” – usually either listing them as “suspicious files” (rather then positives) or programs which “could” have been potentially used maliciously etc.
While giving it a thought, indeed, tester after all connects to some site and by doing it announces IP and names vulnerability (which could be recorded). Using cover of “providing tester” (even along some legitimate help) would be also very clever social engineering – perfect black smoke (if someone would to use information obtained afterwards maliciously). Whole distinction between “malicious” and “legitimate” depends solely upon trust to the site (and I know many hackers are often willing to go great length to produce “black smoke screen” and deniability for their real intensions…). Just to be clear on issue - only speculating theoretically. Links comes from one of regulars from GRC forum - don’t have any other reasons (potentially beside stated) to think that site could be not legitimate.
Following thought further, it seems to me (unless I’m wrong) that information obtained by this method would be (on other hand) only secondarily valuable to alleged attacker. Leak testers investigate only aspect of outbound leaks, while probably knowledge of inbound exposure could be considered more desirable (as it would allow engineering vector of attack directly). I don’t have sufficient understanding or knowledge, allowing me to speculate how and if reporting leaks testers, could provide someone with information of potential exposure from outside (along with definite ability to report weak points form inside)…
Also trying to weight in my mind, what to think about fact that TH varied significantly in results from all other scanners. On one hand it made least detection (just one), on other as the only one named file as Trojan – as oppose to “suspicious files” or one “which “could” etc. Wondering would it have other reason besides awareness that file could be potentially used maliciously as reporting probe – … if YES whole “trust factor” to site would definitely shift (potentially also in regard to real purpose of all other testers). If it didn’t have “other” reasons it seems that it made least detections… Perhaps it was just false positive and file after all is not a certain, definitely malicious purpose positive – …don’t know what to make of it.
I found post on this forum from February stating that GRC’s Leak Test was exclusively excluded from TH detection list.
Just wanted to bring this to attention. also thanks for making great tool (TH).
PS.
By the way how could I add my own custom detection definition to TH? Some people say its the only program on the world capable of it.
|
Mischel Internet Security Forum
Reply
Notify of replies
Send Topic
Print
Author
IP Logged
) is to exclude testers from TH’s definitions. Because (at least potentially) testers could be used maliciously (as for instance after tempering with destination address in their code) - not sure is TH able to examine this variable already, …perhaps,… it would make sense including them maybe along additional info: “probes which potentially could report vulnerabilities if used maliciously” – also because of this (TH explicitly advertises detection abilities of process injection): 
. 
Search
Members
Login
Register