Re: Trojan detection in Security

Re: Trojan detection in Security http://www.dslreports.com/forum/r20026683 en Thu, 03 Dec 2009 13:20:59 EDT Thu, 03 Dec 2009 13:20:59 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20038972 Daniel :

said by Name Game

:

...but I guess the next step could be... tell em to get a MAC. :D

I don't think a MAC will help them in this case (unless he's worried someone's spoofing his friend), but perhaps a good system running OS X (a Mac) would improve things. ;)
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,20038972 Thu, 21 Feb 2008 17:55:10 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20038937 Name Game : The decision process already started in the first post by the OP's friend to clean it off..and asked "Anyone know what this could (be) and how to get rid of it?"

So the best assumption would be 'it' is not the hard drive or the current load of software on it..but I guess the next step could be... tell em to get a MAC. :D
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,20038937 Thu, 21 Feb 2008 17:49:28 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20038580 Daniel : Heh, guess what I found?

»Security »When should I re-format? How should I reinstall?

Some of my favorite quotes:

said by The DSLR FAQ on Reinstalling :

It is dangerous and incorrect assume that simply because one backdoor trojan has been removed from a computer that the computer is now secure.

said by The DSLR FAQ on Reinstalling :

The experts at CERT and SANS don't think an on-site team of certified trained and experienced professionals can reliably clean a system that has had a backdoor installed, up to the standards of everyday commercial and institutional use. So how can one expect to do that long distance?

said by The DSLR FAQ on Reinstalling :

Give them enough information about the risks to make their own informed decision. Let them decide based on what they use their computers for, their assessment of the risks, and their financial and technical resources, whether the re-format and re-install is actually done.

So let me rephrase my answer. If you have anything you care about on a computer, and you think you may have been infected with a trojan, you should reinstall.

Or, to put it another way, if you have NOTHING on your system that you care about, including what you plan on doing with the system in the future, don't bother.

So anyone want to guess what the OP will decide?
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,20038580 Thu, 21 Feb 2008 16:51:10 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20038318 Name Game :

said by Daniel

:

Right, so if it's not a trojan you shouldn't reinstall. If it is, you should reinstall. I'm glad we had this talk. ;)

Me too..now let's go clean off a few trojans while you reformat..and don't forget the low level.. ;)

Tr. injector aka all-in-one (see s/shot) *Part detection and removal

*The exe and run entry in registry are detected and removed but the rootkit + archived copies of components held in seperate folders still remain cloaked and rootkit is still active
»img53.imageshack.us/img53/997/cs···eim0.jpg

»www.wilderssecurity.com/showthre···t=171437

»www.castlecops.com/t180887-Rootk···ved.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/]]> http://www.dslreports.com/forum/remark,20038318 Thu, 21 Feb 2008 16:08:02 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20038176 Daniel : Right, so if it's not a trojan you shouldn't reinstall. If it is, you should reinstall. I'm glad we had this talk. ;)
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,20038176 Thu, 21 Feb 2008 15:45:34 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20038095 Name Game : I 'reckon' it would not.. :Dsince he seems to already have a 'name' for itIt comes up as injecterx (tri)
..and you don't just pull those names out of your hat.
You have to use those "tools" you seem to be so against that popup and tell you there might be a bad boy on your system and it's name..so then you find out the real files it is calling out and you concentate on those..since many AV's find them in the temp or temp internet file.. system restore..or even in the uploaded sig. you get from other antimalware products..or even the quarantine folder of other AV products as they scan.. and it goes on and on..

Besides the fact that only this week and last..many of those Commerical AV and Antimalware products just added to their signature base a Trojan.Injector.S on a new bad boy..but unfortunately..many are calling it out wrong and its a false positive on legit files.

So again your assumptions are premature.

unless you would tell each one of these people who posted and started a thread here..

»Security Cleanup

to stop waisting everyones time..and go reinstall.

Trojans are not boogie men. Some of the best Security tools out there "walk and talk like a trojan"..but they have been Identified as useful and in some cases necessary.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/]]> http://www.dslreports.com/forum/remark,20038095 Thu, 21 Feb 2008 15:33:38 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20037719 Daniel :

said by The Penguin

:

Acquaintance reckons he has a trojan on his pc that he cannot get rid of.

This seems pretty clear to me, NameGame. What part of it is ambiguous to you? Does it sound like they're not sure? Does it sound like minor adware?

Again, the best practice is reinstallation in this type of scenario. Go find me someone who does security for a living that disagrees.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,20037719 Thu, 21 Feb 2008 14:31:41 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20037568 Name Game :

said by Daniel

:

Well, we don't want to avoid giving someone the advice they need because it would be inconvenient. If someone is infected with a serious trojan we need to recommend reinstallation regardless of how uncomfortable that would be.

well there are about 50 threads like this one in the last 5 days here at DSLR Security Forum..so start posting in each your reformat/reinstall info in each :D :D
Since you assume the "if" before you understand the what?
That should take care of them all and no reason for them to even post in the first place. ;)
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,20037568 Thu, 21 Feb 2008 14:07:03 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20036172 Daniel : Well, we don't want to avoid giving someone the advice they need because it would be inconvenient. If someone is infected with a serious trojan we need to recommend reinstallation regardless of how uncomfortable that would be.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,20036172 Thu, 21 Feb 2008 10:31:24 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20036054 Name Game :

said by Daniel

:

Well, yeah, I'm assuming it isn't a very simple WELL KNOWN piece of trivial adware. I'm saying if it's something invasive, and the odds are decent that a serious compromise was possible, it's best to reinstall. Seriously.

I am not against that action..far from it..but know that many home users do not have the ability to reformat reinstall since they lack the CD's or the knowledge to even start the process if the had the tools.

That we can thank the manufactures out there. :(
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,20036054 Thu, 21 Feb 2008 10:10:35 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20036038 Name Game : The Penguin,
Ask your friend if possibly the trojan detected name is not really..TROJAN.INJECTOR.S.

This one seems to come up in many AV product scans and heuristics since 8 Feb..and many signaturebased AV are hitting many false positives on this..but more important..if you can get the names pf the files and loactions on the PC that are being called out this will help..All products that your friend is using have LOGS and that is where you will find the info.
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,20036038 Thu, 21 Feb 2008 10:08:07 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20035906 Daniel : Well, yeah, I'm assuming it isn't a very simple WELL KNOWN piece of trivial adware. I'm saying if it's something invasive, and the odds are decent that a serious compromise was possible, it's best to reinstall. Seriously.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,20035906 Thu, 21 Feb 2008 09:42:56 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20035646 Name Game :

said by Daniel

said by The Penguin

:

Acquaintance reckons he has a trojan on his pc that he cannot get rid of.
It comes up as injecterx (tri)
Avast, AVG and Trojan Hunter find it but seemingly do not get rid of it. He has also run various spyware progs to no avail. I've done a google but can find no reference to it. Anyone know what this could and how to get rid of it?

Reinstall. Do not assume you can outsmart the person who got a trojan onto your system. Reinstall.

Suggest you become more acquainted with the Home Security Products out there and just what they are doing most of the time
»Kaspersky warns Screenshot Captor trojan

The trend is to call everything from popups and other types of malware or possible undesireable program a TROJAN since many seem to only think there are virus and trojans out there. To even assume that course of action would be to reformat/reinstall is reckless advice without first knowing more details.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/]]> http://www.dslreports.com/forum/remark,20035646 Thu, 21 Feb 2008 08:46:39 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20035640 Cudni :

said by Daniel

:

Reinstall.

Why? There is no suffient info to advise that action. I'm sure that there might be some malware that is not detected and that some of the malware writers are more capable than some the analysts but those are only an exception to the rule. Those in non home environment have more resources at their disposal to combat malware

Cudni
--
"Mercifully, he hit him with the soft end of the pistol."
Help yourself so God can help you.
Microsoft MVP, 2006-2007]]> http://www.dslreports.com/forum/remark,20035640 Thu, 21 Feb 2008 08:45:07 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20034585 Daniel :

said by The Penguin

Reinstall. Do not assume you can outsmart the person who got a trojan onto your system. Reinstall.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,20034585 Thu, 21 Feb 2008 00:02:13 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20034571 Daniel :

said by Name Game

said by Daniel

:

If he did something foolish that could have resulted in a compromise then the best defense is to reinstall.

Trojan detection is a very weak thing right now. It's basically like this: if you find one using a tool, you have one. But if you don't find one it doesn't mean much of anything at all.

If in doubt, reinstall.

what is your advice if he finds one..reinstall ? Where did you get your info that trojan detection is weak. :D

I spend all day, every day, doing information security at a professional level, and to do this correctly you need to be a student of the game. A popular point of discussion is the constant struggle between those who write trojans and those who try and detect them. It's widely accepted by those in the field that modern trojans are extraordinarily difficult to detect, and that if you suspect you may have one you should reinstall.

I grow tired of reminding you and others that there is a whole world of security outside the home PC environment, and that if you continue to approach things from this perspective alone you will remain ignorant. If you choose to ignore the big picture then that's fine by me, but please stop being surprised and/or defensive when I try and raise awareness.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,20034571 Thu, 21 Feb 2008 00:00:35 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20031495 The Penguin : Thanks for the replies.
Well, he ran sergiwa but that didn't pick it up.
I've now forwarded the "SAS" link to him.
Siliconman, I think he does have the latest TH that picked it up, but I've suggested that he checks that he does.
--
Dances With Marmots]]> http://www.dslreports.com/forum/remark,20031495 Wed, 20 Feb 2008 15:37:09 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20028884 Bubba17 :

said by redwolfe_98

:

another program that they could try using would be "superantispyware" which has a good reputation for removing many malware-infections..

+1

SAS does (and repairs damage from) trojans. :)

To try, grab the free version, here: »www.superantispyware.com/superan···pro.html
--
"Fast is fine, but accuracy is everything" --Wyatt Earp]]> http://www.dslreports.com/forum/remark,20028884 Wed, 20 Feb 2008 08:31:51 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20028820 redwolfe_98 : it might help to try running scans in "safe mode"..

another program that they could try using would be "superantispyware" which has a good reputation for removing many malware-infections..

"trojan-injector" sounds like a "storm worm"/zhelatin infection, to me..

another tool that they could try using is "GMER", which is a rootkit scanner:

»www.gmer.net/index.php]]> http://www.dslreports.com/forum/remark,20028820 Wed, 20 Feb 2008 08:10:46 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20028609 ghost16825 :

said by Name Game

said by Daniel

In general, detection of a trojan implies a trojan is there (given 0% false positives). Non-detection of a trojan does not imply anything about the existence of a trojan. For all but the isolated case your preferred course of action should be to flatten and rebuild - that is, it should be the rule rather than the exception. By doing selective removal based on tool results you're basically saying: "I am smarter than the attacker; I know exactly how and when the attacker has changed my system and can restore the system to a known good state. (without wiping)." ]]> http://www.dslreports.com/forum/remark,20028609 Wed, 20 Feb 2008 06:42:54 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20028316 siliconman01 : The Penguin,

Have him/her run the LiveUpdate on TH5 to obtain the latest rulesets. Then reboot the computer into SAFE MODE and run a full scan with TH5 and let TH5 try to remove the infection. ]]> http://www.dslreports.com/forum/remark,20028316 Wed, 20 Feb 2008 02:16:16 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20028004 Name Game :

said by Daniel

what is your advice if he finds one..reinstall ? Where did you get your info that trojan detection is weak. :D

seems to me the op already stated a trojan was detected and three products call it out.

and this statement "But if you don't find one it doesn't mean much of anything at all."

Are you assuming that every system out there is infected ?
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kids »www.missingkids.com/]]> http://www.dslreports.com/forum/remark,20028004 Wed, 20 Feb 2008 00:15:31 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20027869 Daniel : If he did something foolish that could have resulted in a compromise then the best defense is to reinstall.

Trojan detection is a very weak thing right now. It's basically like this: if you find one using a tool, you have one. But if you don't find one it doesn't mean much of anything at all.

If in doubt, reinstall.
--
dmiessler.com -- grep understanding knowledge]]> http://www.dslreports.com/forum/remark,20027869 Tue, 19 Feb 2008 23:41:38 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20027829 NanDog : Ah, glad to see you just popped in again!

I looked through the trojan lists on my copy of TH5 and didn't see anything in that ruleset that seemed similar to injecterx (tri).

It's aggravating that all the different anti-malware companies call things by different names!

Thanks for telling us that you'll keep us posted. :)

BTW, as a person who loves hiking and climbing in the PNW mountains, I love your sig line! :D
--
See ya across the Rainbow Bridge, my good and faithful friend!]]> http://www.dslreports.com/forum/remark,20027829 Tue, 19 Feb 2008 23:31:23 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20027784 The Penguin : Thanks Name Game and Nan Dog.
I've forwarded those links (sergiwa)to him and also another that I found with a google.
I'll post results when he gives an update.
--
Dances With Marmots]]> http://www.dslreports.com/forum/remark,20027784 Tue, 19 Feb 2008 23:20:50 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20026683 NanDog : Are you perhaps referring to something like Trojan.Injecter.x? A google will give you some hits on injecter trojans.
--
See ya across the Rainbow Bridge, my good and faithful friend!]]> http://www.dslreports.com/forum/remark,20026683 Tue, 19 Feb 2008 20:05:46 EDT Re: Trojan detection http://www.dslreports.com/forum/remark,20026600 Name Game : I am not familiar with that specific named trojan..but you might try this tool

iPMS - iSergiwa Portable Malware Scanner

»en.sergiwa.com/modules/mydownloa···hp?cid=2
and this one also

PRT Perlovga Removal Tool v1.0.2
»en.sergiwa.com/modules/mydownloa···=2&lid=4

If those AV's and Trojan Hunter finds it..can you give us the name of the files it finds that are infected..those would be in the logs of those products.

In any case you could also run those product in the safe mode and they might be able to clean it..

The tools I posted above also require cleaning in the safe mode..and of course some AV's finish that cleaning on a reboot.
--
Gladiator Security Forum »www.gladiator-antivirus.com/
Missing Kids
»www.missingkids.com/]]> http://www.dslreports.com/forum/remark,20026600 Tue, 19 Feb 2008 19:52:33 EDT Trojan detection http://www.dslreports.com/forum/remark,20025886 The Penguin : Acquaintance reckons he has a trojan on his pc that he cannot get rid of.
It comes up as injecterx (tri)
Avast, AVG and Trojan Hunter find it but seemingly do not get rid of it. He has also run various spyware progs to no avail. I've done a google but can find no reference to it. Anyone know what this could and how to get rid of it?
--
Dances With Marmots]]> http://www.dslreports.com/forum/remark,20025886 Tue, 19 Feb 2008 17:52:12 EDT