| reply to Andreas Haak
Re: Trojan signature quality of certain AV products... Andreas,
(Here we go again).
There's always going to be a signature somewhere in any trojan that can be modified to make it slip past the detection of any scanner (yours included), it just requires modifying a different area for each scanner (due to each scanner often having a signature in a different place), so can you please elaborate on what you're trying to prove in this thread? There's no difference between changing a couple of opcodes around and changing a text string - its all just a couple of keystrokes in a hex editor. Yes i agree with you that there is such a thing as 'signature quality' (ie. not only to strongly detect the trojan, but also to avoid false positives, which is why automated signature selection must not be used - this is why we hand-select all of our signatures after performing a full analysis), but at the same time you can't make bulletproof signatures - give me any trojan, any scanner, and I'll hex edit it so that it will no longer be detected.
Folks,
Don't be fooled by Andreas. He's been writing his own anti-trojan scanners for the last couple of years and is posting here telling you that various anti-trojan scanners are "vulnerable" to having trojans modified so that they can no longer be detected. WHAT HE ISN'T TELLING YOU is that _all_ scanners - his included - are equally 'vulnerable', so he's just shooting himself in the foot. Any trojan can be modified (often just with a hex editor, sometimes also with the assistance of a disassembler) so that it will be undetected by any anti-trojan scanner. Andreas simply chose a signature that he knew TDS was using so he can keep up with his monthly spate of attacks on TDS. I could easily modify any trojan so that it gets past any detection that Andreas's scanner has and it would only take a matter of minutes, but I don't go around attacking his software in an effort to promote mine - some of us actually have business ethics, and even morals, things that gravely elude Andreas Haak. The simple fact of the matter is he wouldn't waste so much time, time and time again, month after month, year after year, attacking TDS if he didn't think it was a quality scanner that represented some sort of threat to his own scanner, otherwise he'd be doing something more constructive with his time - nobody else would both wasting time on this, think about it.
Well, this thread has been a complete waste of everyones time.
[text was edited by author 2003-08-19 10:41:05] |
