Security Basics mailing list archives
Re: Looking for a Trojan
From: Shreyas Zare <shreyas () technitium com>
Date: Wed, 21 Jan 2009 00:24:08 +0530
Hi, Quite true, I am myself working on an anti-malware solution which combines heuristic based approach with signature based. But heuristic or behavior based approach can be bypassed which makes implementing them difficult. Generally new malware with slight change in previous one can go undetected by major AV. There is a feeling thus that AV is of no use to guard against new threats that emerge everyday. Regards, On Wed, Jan 21, 2009 at 12:04 AM, TheM . <them.root () gmail com> wrote:
Heya Actually, from what I remember of research on AVs, that is only partly correct. AV Software does mainly work on a signature basis, meaning that if the trojan is old, then AV software should be able to identify it based on a hash of its file. However, I seem to remember that more recently there is also a trend to have heuristic based checking done by modern, commercial AVs (I don't think clamAV does this, but I'm pretty sure that Norton/AVG/etc. do, and I also know that Comodo security suite has heuristic based protection of resources: it attempts to detect read/writes, etc. and allow/denies it), meaning that if the trojan is too blunt in its behavior, even if it is new, it will still probably be detected. Examples include accessing certain computer resources or "acting like a trojan". Even if you recompiled an older open source trojan with a polymorphic compiler (meaning the new executable would have a different hash than the original), it would still probably be detected upon running unless you made some substantial modifications or if it had some other way around the heuristics. It's definitely possible to program around these heuristics, because like any rule of thumb, they only sometimes work (and are weaker than they could be, to limit false positives). However, if you have local access and are installing it, what's stopping you from running a script that -will- get detected, allowing it, having it disable the AV, and then installing the trojan? You could even automate editing out the AV logs once you've disabled the AV. Although not knowing which software is a bit of a challenge, you could probably just write it so that it checks for all the major brands/etc. You -have- local access, you can pretty much do whatever the hell you want, no? Regards, Everett Maus On Tue, Jan 20, 2009 at 7:50 AM, Shreyas Zare <shreyas () technitium com> wrote:Hi, AV software can only detect the virus/trojan it has definition for. So the argument that old trojan can be detected by updated AV can be said true with an assumption that since the trojan is old its would have been sampled by AV companies and most of AV software have it in the defination database. So, if u get a new trojan which is just days old then many AV (or even none) would detect it. Regards, On Mon, Jan 19, 2009 at 10:48 PM, Juan B <juanbabi () yahoo com> wrote:Hi, I got myself into an argument with a colleague of mine about trojans, he says that now days all old trojans can be detected as long as the AV software is updated, I need to show him he is wrong. I am looking for a Trojan or rootkit to be installed locally on a virutal machine ruining Xp. the machine has AV software and It will be accessed via the internet. I need the Trojan to supply me screenshots of the victim computer,maybe to send them to an E mail address etc.. the trojan will need to disable the AV software (which I dont know which version is installed) or just avoid detection by the AV software, I know that trojans like subseven Backorfice etc will be detected immediately by AV software so they don't help much.. someone knows of such a trojan /RAT ? thanks a lot ! Juan-- ("Computers have a strange habit of doing what you say, not what you mean." - SANS Top 25 Most Dangerous Programming Errors) Shreyas Zare Co-Founder, Technitium eMail: shreyas () technitium com ..::< The Technitium Team >::.. Visit us at www.technitium.com Contact us at theteam () technitium com Join Sci-Tech News group and get the latest science & technology news in your inbox. Visit http://tech.groups.yahoo.com/group/sci-tech-news to join.
-- ("Computers have a strange habit of doing what you say, not what you mean." - SANS Top 25 Most Dangerous Programming Errors) Shreyas Zare Co-Founder, Technitium eMail: shreyas () technitium com ..::< The Technitium Team >::.. Visit us at www.technitium.com Contact us at theteam () technitium com Join Sci-Tech News group and get the latest science & technology news in your inbox. Visit http://tech.groups.yahoo.com/group/sci-tech-news to join.
Current thread:
- Looking for a Trojan Juan B (Jan 19)
- Re: Looking for a Trojan Rob Nelson (Jan 20)
- Re: Looking for a Trojan Uwe Thiess (Jan 20)
- RE: Looking for a Trojan Nick Vaernhoej (Jan 20)
- Re: Looking for a Trojan michael (Jan 20)
- Re: Looking for a Trojan Adam Pal (Jan 20)
- Re: Looking for a Trojan Shreyas Zare (Jan 20)
- RE: Looking for a Trojan David Harley (Jan 20)
- Message not available
- Re: Looking for a Trojan Shreyas Zare (Jan 20)
- Re: Looking for a Trojan David Maus (Jan 20)
- Re: Looking for a Trojan Wagner Brett (Jan 21)
- Re: Looking for a Trojan Javier Reyna Padilla (Jan 20)
- Re: Looking for a Trojan ArcSighter Elite (Jan 27)
- <Possible follow-ups>
- Re: Looking for a Trojan dan . crowley (Jan 22)
- Re: Looking for a Trojan Eitan Adler (Jan 22)
- Re: Looking for a Trojan Sarapan (Jan 23)