Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Sep 8th, 2008, 9:48am
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   How to create a new TH's rule ?		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: How to create a new TH's rule ?  (Read 589 times)
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
How to create a new TH's rule ?
« on: Jul 12th, 2002, 2:26pm »		 Quote Quote  Modify Modify
  Hello  ,
 
   I have never created a new rule with TrojanHunter , would someone show me what do I have to do ?
   For example  how to create a new rule if did exist a new trojan variation like  this :
 
  " SubSeven.backdoor.v21G"  ?
 
    Thank  you  all ,
   mozar
IP Logged
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2038
Re: How to create a new TH's rule ?
« Reply #1 on: Jul 12th, 2002, 9:16pm »		 Quote Quote  Modify Modify
Sorry Mozar your not cleared for that yet, your only a junior member   Wink
 
VampireInfo should take this one, I confuse myself when I try to explain it.  Try contact him or maybe Magnus, if worse comes to worse, I'll try to explain it.
 
But you will be  Huh   Roll Eyes   Shocked
IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: How to create a new TH's rule ?
« Reply #2 on: Jul 12th, 2002, 9:37pm »		 Quote Quote  Modify Modify
    Hello  Jamming  ,
 
 
     I  think that , in this case ,it is better  to use only TH's standard rules.set .
I was thinking  that it was much more easy than creating rules for FWS (just include the  name of the new trojan >click >confirm>done )  without searching  ofor protocols , ports , place of the rules etc .
     And  Vampirefo has just finished to help me a lot in a false positive case ( not with TH , another  app ). Imagine , Jamming , Vampirefo has just finished with that anonymous/Gloria/Glorie's  case  he deserves a rest .
 
     Regards ,
        mozar
IP Logged
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2038
Re: How to create a new TH's rule ?
« Reply #3 on: Jul 13th, 2002, 9:16am »		 Quote Quote  Modify Modify
Only Five more posts Mozar and your cleared for the knowledge  Wink  If you want I can try it, did you try looking at the older threads, I believe there is one in there that Vamp and I discuss the process.  I haven't experimented with my own trojan detection that much, I used it to detect some process starting on my machine, I used it as a tool to do somethings not standard.  Vampire has spent much more time making trojan rules.
IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: How to create a new TH's rule ?
« Reply #4 on: Jul 13th, 2002, 1:29pm »		 Quote Quote  Modify Modify
 Jamming  ,
 
  I think that with my present verbosity I will get full status before the day finishes .Is it true that full members have access to a special , exclusive , political incorrect free and extra-password protected Forum ?  
   Concerning  TH's  rules , I  think it is better to learn them in the future , I really do not need them now . I have used four ATs until today , TH is the only one that has never give me a false positive .
 
     See  you  at  the  X Forum  soon ,
 
       mozar
IP Logged
Jamming
Stole All the Forum Stars
********




Remember when a Trojan was just for protection.

   


Gender: male
 Posts: 2038
Re: How to create a new TH's rule ?
« Reply #5 on: Jul 13th, 2002, 5:31pm »		 Quote Quote  Modify Modify
I can neither confirm or deny the ultra-secret really cool forum that might or might not exist for full members. Cool  Maybe we should work on a faq for creating rules and give it to Magnus though.
IP Logged
Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster
vampirefo1
Senior Member
****



I love YaBB 1 Gold!

   
Email

Posts: 328
Re: How to create a new TH's rule ?
« Reply #6 on: Jul 14th, 2002, 4:30am »		 Quote Quote  Modify Modify
Hi Mozar & Jamming,
 
Yes I have written a few rules, I like having this powerful option, The first thing to do is read the help file. Magnus did a pretty good job with it, read the working with rules section, it should help you a lot.
 
Then you need to practice, I first started out using the well know firewall exploits Tooleaky, and so on, these are safe program to use to get use to rule writing.
 
 
1.Name your Trojan
2.File rule- Is the simplest rule to make, click the tab, find the Trojan and finger print it.
3.Process rule well to be able to make this rule the Trojan needs to be active,Find the Trojan running in memory then finger print it. The rest of the rules require the Trojan to have been activated.  
4.Port Rule your firewall helps here, just copy the port number from your firewall xx wants to connect to port ?.
5.Registry rule- Just copy what changes the Trojan made in your registry, and add a rule for it.
6.Inifile rule copy any changes made here also and make a rule for that as well, if any changes were made.
7. Practices with those well known firewall exploits, you can easily make a file rule and process rule with them, and you are in no danger.  
 
 
 
 
IP Logged
TrojanHunter Stands for privacy !!!!!!!!!!!




Companies would rather lose you as a customer than fix the problem
mozar
Highly Honored Mass-Poster
*******





   


Posts: 1524
Re: How to create a new TH's rule ?
« Reply #7 on: Jul 14th, 2002, 1:24pm »		 Quote Quote  Modify Modify
 Thank  you , Vampirefo  
 
  I have copied your  instructions (for future use), I think it is better for me now just to full understand how to create rules for my "LOOKnSTOP" fw.
 
 
   Regards ,
        mozar
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register