Re: Looking for a Trojan

[Shreyas Zare <shreyas () technitium com>]

Hi,

Quite true, I am myself working on an anti-malware solution which
combines heuristic based approach with signature based. But heuristic
or behavior based approach can be bypassed which makes implementing
them difficult. Generally new malware with slight change in previous
one can go undetected by major AV. There is a feeling thus that AV is
of no use to guard against new threats that emerge everyday.

Regards,

On Wed, Jan 21, 2009 at 12:04 AM, TheM . <them.root () gmail com> wrote:
> Heya
>
> Actually, from what I remember of research on AVs, that is only partly
> correct.
>
> AV Software does mainly work on a signature basis, meaning that if the
> trojan is old, then AV software should be able to identify it based on a
> hash of its file.  However, I seem to remember that more recently there is
> also a trend to have heuristic based checking done by modern, commercial AVs
> (I don't think clamAV does this, but I'm pretty sure that Norton/AVG/etc.
> do, and I also know that Comodo security suite has heuristic based
> protection of resources:  it attempts to detect read/writes, etc. and
> allow/denies it), meaning that if the trojan is too blunt in its behavior,
> even if it is new, it will still probably be detected.  Examples include
> accessing certain computer resources or "acting like a trojan".  Even if you
> recompiled an older open source trojan with a polymorphic compiler (meaning
> the new executable would have a different hash than the original), it would
> still probably be detected upon running unless you made some substantial
> modifications or if it had some other way around the heuristics.  It's
> definitely possible to program around these heuristics, because like any
> rule of thumb, they only sometimes work (and are weaker than they could be,
> to limit false positives).
>
> However, if you have local access and are installing it, what's stopping you
> from running a script that -will- get detected, allowing it, having it
> disable the AV, and then installing the trojan?  You could even automate
> editing out the AV logs once you've disabled the AV.  Although not knowing
> which software is a bit of a challenge, you could probably just write it so
> that it checks for all the major brands/etc.  You -have- local access, you
> can pretty much do whatever the hell you want, no?
>
> Regards,
> Everett Maus
>
> On Tue, Jan 20, 2009 at 7:50 AM, Shreyas Zare <shreyas () technitium com>
> wrote:
> > Hi,
> >
> > AV software can only detect the virus/trojan it has definition for. So
> > the argument that old trojan can be detected by updated AV can be said
> > true with an assumption that since the trojan is old its would have
> > been sampled by AV companies and most of AV software have it in the
> > defination database. So, if u get a new trojan which is just days old
> > then many AV (or even none) would detect it.
> >
> > Regards,
> >
> > On Mon, Jan 19, 2009 at 10:48 PM, Juan B <juanbabi () yahoo com> wrote:
> > > Hi,
> > >
> > > I got myself into an argument with a colleague of mine about trojans, he
> > > says that now days all old trojans can be detected as long as the AV
> > > software is updated, I need to show him he is wrong.
> > > I am looking for a Trojan or rootkit to be installed locally on a
> > > virutal machine ruining Xp. the machine has AV software and It will be
> > > accessed via the internet. I need the Trojan to supply me screenshots of the
> > > victim computer,maybe to send them to an E mail address etc.. the trojan
> > > will need to disable the AV software (which I dont know which version is
> > > installed) or just avoid detection by the AV software, I know that trojans
> > > like subseven Backorfice etc will be detected immediately by AV software so
> > > they don't help much..
> > >
> > > someone knows of such a trojan /RAT ?
> > >
> > > thanks a lot !
> > >
> > > Juan
> >
> >
> >
> > --
> > ("Computers have a strange habit of doing what you say, not what you
> > mean." - SANS Top 25 Most Dangerous Programming Errors)
> >
> > Shreyas Zare
> > Co-Founder, Technitium
> > eMail: shreyas () technitium com
> >
> > ..::< The Technitium Team >::..
> > Visit us at www.technitium.com
> > Contact us at theteam () technitium com
> >
> > Join Sci-Tech News group and get the latest science & technology news
> > in your inbox. Visit http://tech.groups.yahoo.com/group/sci-tech-news
> > to join.



-- 
("Computers have a strange habit of doing what you say, not what you
mean." - SANS Top 25 Most Dangerous Programming Errors)

Shreyas Zare
Co-Founder, Technitium
eMail: shreyas () technitium com

..::< The Technitium Team >::..
Visit us at www.technitium.com
Contact us at theteam () technitium com

Join Sci-Tech News group and get the latest science & technology news
in your inbox. Visit http://tech.groups.yahoo.com/group/sci-tech-news
to join.