dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
53
pchelp7
join:2001-03-05
Manson, WA

pchelp7 to eburger68

Member

to eburger68

Re: Informal Trojan Detection Tests

said by eburger68:
said by pchelp:
What I would add to the testing first and foremost are two things:

1. A standard set of trojans numbering perhaps ten, chosen for their popularity and insofar as possible, for their variations in methods of stealth, etc.
Yep, I really do need to expand the set of trojans being tested. As this was the first test of this nature that I had run, I was more concerned with keeping things manageable and under control. Even with one trojan (and a handful of variants), things became quite complicated in a very short amount of time. It was a learning experience.
Yes, in fact the more I think about it, the more inclined I am to suggest something more like half that number of trojans.

Many of the hundreds of trojans floating about are closely similar to one another. A representative sample that includes several of the more widely-used while also including differing protocols, stealth tactics, etc., could probably be assembled; numbering perhaps five or six.

When one considers the number of combinations and permutations necessary to testing, it quickly becomes a problem as the number of trojans rises. Given several compression options, config and startup options, perhaps one or two droppers or installation strategies, tests of removal, etc., the numbers start reeling up. To test a dozen aspects of ten trojans requires 120 individual tests, each involving some preparation and followup.
quote:
I'm always open to suggestions for specific trojans to test (and for compression methods, etc.).
Certainly SubSeven, BioNet and BO2K. All popular, and each has aspects of stealth or behavior that makes it important to test. SubSeven has options for startup, BioNet sabotages firewalls, BO2K hides from process monitors. Beyond that I'd want to look at the current field of candidates. It's always changing.

BTW, There are certain capabilities I have been expecting to see emerge in trojans for quite some time, most of which apparently haven't surfaced. For instance, I had expected more trojans to adopt the tactic of BO2K for foiling process monitors.
quote:
said by pchelp:
2. I would use a few well-defined methods to deliberately attempt to bypass the detection methods of the anti-trojan apps. In particular, wherever the trojan allowed it, I would configure for various restart methods _and for none at all_. (An intruder doesn't need to risk detection by placing an obvious entry in the "Run" key. He just needs the trojan server to start up and open up access for a few minutes. Once in, he can set up persistent execution however he wishes, while disabling or circumventing countermeasures at will.)
All excellent suggestions. Again, I'd be interested to hear a few ideas along these lines wrt specific trojans and bypass strategies.
As and when needed, I can certainly offer a list of such ideas.
quote:
said by pchelp:
Also, as ZZZZZZZ has pointed out, BOClean merits inclusion in the test.

Because BOClean is not a file scanner and operates in a different and more system-involved manner than other A-T apps, it often gets short shrift in comparison tests. It does its real work only when the trojan is actually executed, so it requires somewhat different testing methods. I think it deserves better consideration.
I am eager to try out BOClean, but there's no trial version available. Milly, over in the GRC groups, suggested approaching the BOClean folks about obtaining a trial version for testing purposes, but I haven't gotten around to it yet. I have heard good things about that app, though.
I'm acquainted with Kevin McAleavey, creator of BOClean, and I'm confident he'll be interested and cooperative. He's a very forthcoming and knowledgeable individual.
quote:
said by pchelp:
If you plan additional efforts along this line, Eric, I would be interested in helping out.

I anticipate doing another round of tests in a few weeks.
In mid-February I expect to be deposed in New Hampshire, where I may spend as much as a week. After my return to Washington State would be an ideal time for me.
quote:
(The start of the new semester is tomorrow, so I've got a few things on my plate before I can return to this issue.) As for apps to test, I've already identified ANTS and Trojan Hunter (two increasingly popular anti-trojan apps), McAfee Virus Scan and Norton AntiVirus (two widely used anti-virus apps), and AVG (a popular, free anti-virus app). I'm always open to other suggestions, of course.
All fine choices. I'd have recommended ANTS. Subjected to extensive testing and very widely used, McAfee and Norton are known quantities, and they'll serve as a virtual standard for comparison. The question in the minds of a large proportion of home users will be, "Will it really help to use additional forms of protection beyond [McAfee/Norton]?"
quote:
Truth be told, the biggest question on my mind at this point is the whole situation I described in the second memory scan test for AVP. I really would like to find out what kind of protection AVP Monitor would provide when a cracker or script kiddie attempted to connect to a server that had been loaded before AVP Monitor was started.
A very good question. If it's something AVP doesn't spot on a scan, I think there's not much hope. But if it is recognized - ?
eburger68
Premium Member
join:2001-04-28

eburger68

Premium Member

pchelp:

You wrote:
said by pchelp:
In mid-February I expect to be deposed in New Hampshire, where I may spend as much as a week. After my return to Washington State would be an ideal time for me.

Thanks for all your insightful comments and suggestions. It'll take me a while to get the start of this new semester sorted out, but when I do get around to designing a new round of tests, I'll be in touch.

Best regards,

Eric L. Howes