Welcome, Guest. Please Login or Register.
Search
Members
Login
Register
   Mischel Internet Security Forum
   TrojanHunter
   TrojanHunter Guard (Moderators: Helena, Gavin_Coe, Magnus)
   TH Guard and P2P		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: TH Guard and P2P  (Read 4621 times)
spy1
Full Member
***



I love YaBB 1 Gold!

42210568 42210568   peteyevchak   peteyevchak


Gender: male
 Posts: 231
TH Guard and P2P
« on: Jun 9th, 2008, 1:05pm »		 Quote Quote  Modify Modify
Just out of curiousity,  
 
(1) wouldn't TH Guard jump all over anything containing recognized malware even if you d/l'ed it through a P2P application?
 
(2) would it detect during the d/l itself - or only when the d/l was completed and opened?
 
(3) Has anyone here ever experienced such an occurrence? I haven't and I've been running both various P2P programs and TH (w/Guard running) for years. Pete
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: TH Guard and P2P
« Reply #1 on: Jun 9th, 2008, 11:43pm »		 Quote Quote  Modify Modify
Quote:
(1) wouldn't TH Guard jump all over anything containing recognized malware even if you d/l'ed it through a P2P application?  

 
Yes, assuming that there is a ruleset rule covering the infection or with the heuristics or generic rules.  It should make not any difference how it is downloaded.  
 
Quote:
(2) would it detect during the d/l itself - or only when the d/l was completed and opened?

 
It would detect it at the point when it is opened and in memory.  THGuard is not a HIPS type guard.  THGuard polls memory every 10 seconds looking for infections.
 
Quote:
(3) Has anyone here ever experienced such an occurrence? I haven't and I've been running both various P2P programs and TH (w/Guard running) for years.

 
Personally I have not experienced this because I do not use P2P.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
spy1
Full Member
***



I love YaBB 1 Gold!

42210568 42210568   peteyevchak   peteyevchak


Gender: male
 Posts: 231
Re: TH Guard and P2P
« Reply #2 on: Jun 10th, 2008, 9:34am »		 Quote Quote  Modify Modify
Thank you. I thought so.
 
Would still be interested in hearing from any TH users' who have experienced any alerts from TH from anything related to P2P.
 
My problem here is that I never get alerts from anything about anything - not from TH, NOD32, SpyCop.
 
I must lead a very boring life!  Grin    Pete
IP Logged
Jrb
 Guest
Re: TH Guard and P2P
« Reply #3 on: Jun 10th, 2008, 10:59pm »		 Quote Quote  Modify Modify   Remove Remove
Quote:

My problem here is that I never get alerts from anything about anything - not from TH, NOD32, SpyCop.

 
Install Ardamax keylogger 2.9 and see whether TH and SpyCop detect it.... (SpyCop does).
IP Logged
spy1
Full Member
***



I love YaBB 1 Gold!

42210568 42210568   peteyevchak   peteyevchak


Gender: male
 Posts: 231
Re: TH Guard and P2P
« Reply #4 on: Jun 11th, 2008, 6:39am »		 Quote Quote  Modify Modify
Hi, Jrb!
 
Not really what I had in mind.  
 
A purposeful, self-initiated install of anything doesn't reflect the same conditions as a file download that tries to install itself with evil, stealthy intent, I don't think (I could be wrong).
 
Besides - even SpyCop wouldn't detect it unless you actually ran a scan with it, would it? Which would be way after-the-fact of the keyloggers'  installation?
 
What I'm looking for here is examples of prevention - not after the fact detection, if you know what I mean. That's why I refer to TH's Guard and not the scanner.
 
Hey, hope all is well with you! Pete
 
*Of course, since you piqued my curiousity, I went ahead and installed the Ardamax keylogger from its' homepage.  
 
The set-up exe itself didn't trigger any alarms from anything here (TH Guard running, NOD32 monitoring), nor did a single file scan by TH itself, or NOD32, OR SpyCop indicate any malware.  
 
The installation itself went off without a hitch or an alarm by any of those three programs (although my Sunbelt Personal Firewall did ask for permission for it to install, which I gave).  
 
Ardamax keylogger, once installed, runs with "PDM.exe" showing in Process Explorer and with a SYSTRAY icon (which can be hidden to NOT show). And it IS faithfully recording this as I type it here. (My S.P.F asked for permission to open "AKV.exe" when I double-clicked the keyloggers' SYSTRAY icon to see whether it was working or not, which I allowed).
 
Not very comforting so far, is it?
 
Never fear - NOD32 kicked its' butt when I scanned it with TH's scanner:
 
6/11/2008 8:40:01 AM Real-time file system protection file C:\Program Files\PDM\PDM.exe a variant of Win32/KeyLogger.Ardamax application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\TrojanHunter 5.0\TrojanHunter.exe.
 
The keyloggers' tray icon blinked out and its' process dis-appeared from Process Explorer. I have a feeling that NOD32 would have picked it up sooner, but I didn't have "Potentially Unwanted" or "Potentially Unsafe" applications check-marked in NOD until more than halfway through its' scan.
 
If I have time, I'll shut NOD down, re-install the keylogger and try the TH scan again. Pete
« Last Edit: Jun 11th, 2008, 7:50am by spy1 » IP Logged
spy1
Full Member
***



I love YaBB 1 Gold!

42210568 42210568   peteyevchak   peteyevchak


Gender: male
 Posts: 231
Re: TH Guard and P2P
« Reply #5 on: Jun 11th, 2008, 8:37am »		 Quote Quote  Modify Modify
Okay, I can verify that the TrojanHunter scanner - using the 2008-06-09 ruleset does not detect Ardamax keylogger 2.9 - which means that neither the Guard nor the scanner do as of that ruleset.
 
What's really depressing about this is that - on a whim - right after coming up empty on the TH scan, I ran the latest version of SpyBot Search and Destroy (1.6.0.25) and it did detect it - and would have disabled it had I let it do so.
 
Of course, SpyCop did detect it early in its' scan. I'll put up screen shots of the detections I got over on Wilders shortly. Pete
 
*Screenshots: http://www.wilderssecurity.com/showthread.php?p=1259260#post1259260
 
And, if anyone's interested, Norton 360 won't even let me d/l the program on my wife's computer.
 
Also, now that I have NOD32 set correctly  Roll Eyes  it did detect the keylogger and quarantine it all by itself (it took awhile, though, about two minutes after I restarted the computer). NOD didn't remove the registry entries, because SBS&D is still finding them (I'm fixing to let SBS&D remove those entries when its' scan is done, then I'll re-scan with it to make sure they're gone).
 
Wow - this sure sucked up my morning! But it was fun - and very enlightening! Pete
 
Verified by running again that SBS&D did remove the registry entries that it had found for the keylogger.
« Last Edit: Jun 11th, 2008, 1:07pm by spy1 » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7358
Re: TH Guard and P2P
« Reply #6 on: Jun 11th, 2008, 1:22pm »		 Quote Quote  Modify Modify
I've e-mailed Gavin on this.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Gender: male
 Posts: 3912
Re: TH Guard and P2P
« Reply #7 on: Jun 11th, 2008, 10:17pm »		 Quote Quote  Modify Modify
Please submit your test files, if you still have them.
 
I know we do detect a lot of Ardamax loggers, but haven't seen one in a while. So no doubt something has changed Smiley
IP Logged
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Gender: male
 Posts: 3912
Re: TH Guard and P2P
« Reply #8 on: Jun 11th, 2008, 11:27pm »		 Quote Quote  Modify Modify
Nevermind, added detection
 
P2P programs will just download files. If you have HTTP scanning on your virus scanner (web scanning) then it can also detect, unless of course you excluded it or don't use this option, or your AV doesn't have it
 
TH will only detect files when scanned or in memory if a signature or heuristic catches it. The update for Ardamax is coming soon
IP Logged
spy1
Full Member
***



I love YaBB 1 Gold!

42210568 42210568   peteyevchak   peteyevchak


Gender: male
 Posts: 231
Re: TH Guard and P2P
« Reply #9 on: Jun 15th, 2008, 11:38am »		 Quote Quote  Modify Modify
Gavin - I can verify that TH Scanner now detects Ardamax (can't really say which update got it because I haven't scanned for awhile until just now):
 
Found trojan file: C:\Program Files\PDM\PDM.006 (Monitor.Ardamax.171)
 
I hadn't deleted the folder and files for Ardamax, I just let NOD32 and SBS&D  do their thing to disable it. Now that I've got detection on it, I went ahead and deleted those files and the folder from Program Files.
 
Thank you. (And Happy Fathers' Day!) Pete
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »