Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Aug 28th, 2008, 1:19pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Edited a Common Trojan & Got past TH!!!!		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Edited a Common Trojan & Got past TH!!!!  (Read 612 times)
cavileer
Newbie
*



I love YaBB 1 Gold!

   


Posts: 5
Edited a Common Trojan & Got past TH!!!!
« on: Aug 23rd, 2002, 8:15am »		 Quote Quote  Modify Modify
Hello all, i was wondering if anyone could shed some light on my disturbing experiment.  I took a common trojan, Optix PRO v1.1, then i ran it through a program called "Stealth".  I used stealth to pack the trojan server, then to scramble it to make its signiture harder to detect.  I then copied the new pack & scambled Optix trojan to my C drive.  Norton AV 2002 did not catch it, The Cleaner with newest signatures didn't catch it and NOD32 didn't catch it and most disturbingly TROJAN HUNTER did not recognize it as a trojan!!!!  I realize i did not execute the file so i understand it did not change any memory processes or REG edntries but still i found this to be most disturbing.  If anyone can shed some light on this for me i would be much appriciated.  There was one Anti-trojan that did correctly identify it but iam not hear to advertise.  i like the looks of TH and am considering purchasing it because of its great support.  Please, if you can explain why it missed this common trojan.
 
Thanks,  
Cavileer Undecided
IP Logged
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4092
Re: Edited a Common Trojan & Got past TH!!!!
« Reply #1 on: Aug 23rd, 2002, 10:48am »		 Quote Quote  Modify Modify
Hi cavileer,
 
I can almost guarantee that TrojanHunter Guard would catch the trojan if you were to execute it. If you want me to verify that this is the case, then you can simply e-mail the trojan to submit@trojanhunter.com . TrojanHunter Guard is there to catch *all* packed versions of a trojan. If you are relying on file scanning, as may be the case with other scanners, you are running the risk that a packer will not be included in the scan engine, and thus the trojan would be missed if packed with that packer.
IP Logged
Magnus
Administrator
*****



Ad astra per aspera.

   
WWW  

Posts: 4092
Re: Edited a Common Trojan & Got past TH!!!!
« Reply #2 on: Aug 23rd, 2002, 4:08pm »		 Quote Quote  Modify Modify
I've finished analyzing the trojan, and it is indeed detected by TrojanHunter - see images below. The trojan has been configured to copy itself to the Windows system directory as "Security.exe". It also opens port TCP 35000 for client communication which is also detected by TrojanHunter Scanner (though with the trojan name as Infector since it's the default Infector port).  
 
Had you been using another trojan scanner and used a packer that it couldn't handle (most handle only UPX), then you would probably been out of luck as most only do file scanning. The philosophy of TrojanHunter is to detect a trojan in every place possible, and in this case you get three indications that you have a trojan on your system (registry "shell spawn" notification, open port and memory scanning).
 
IP Logged
cavileer
Newbie
*



I love YaBB 1 Gold!

   


Posts: 5
Re: Edited a Common Trojan & Got past TH!!!!
« Reply #3 on: Aug 23rd, 2002, 6:51pm »		 Quote Quote  Modify Modify
Magnus, Well done.  I was just wanting to run some of my own tests after that bogus review not to long ago.  I should have know better then to doubt TH!  Thanks for your help in clearing up this experiment.  Your explaniation makes great sense and thats what i like about TH!  However what value, if any, do you place on identifying a trojan before it gets executed?  Is it possible that some trojans, once executed make irreversable changes to system settings?
 
 
Peace,  
JC
IP Logged
Tuulilapsi
 Guest

Email
Re: Edited a Common Trojan & Got past TH!!!!
« Reply #4 on: Aug 23rd, 2002, 9:50pm »		 Quote Quote  Modify Modify   Remove Remove
Everything can be reversed or at least killed by doing a full format of the hard drive, so no trojan is all-powerful. Smiley
 
Also, if you have TH Guard on, and set to "Automatically remove trojans", it will kill the process IMMEDIATELY upon detection, and the trojan won't have the chance to change your settings. Smiley (The trojan will as the first thing it does try to make itself automatically load on Windows startup so that it can actually work.) Magnus has an excellent product here if you ask me.
IP Logged
maxqnz
Newbie
*




Walekam salaam, noho ora mai!

   
WWW  

Posts: 26
Re: Edited a Common Trojan & Got past TH!!!!
« Reply #5 on: Sep 16th, 2002, 9:43pm »		 Quote Quote  Modify Modify

on Aug 23rd, 2002, 9:50pm, Tuulilapsi wrote:

Everything can be reversed or at least killed by doing a full format of the hard drive, so no trojan is all-powerful. Smiley
A drastic medicine to be sure. Smiley
 Magnus has an excellent product here if you ask me.

Definitely! I was badly let down by my last AT app., The Cleaner, and am very glad to have found TH.
IP Logged
ओ पालनहारे, तुमरे बिन हमरा कौनों नहीं
What's a pieriansipist?
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register