| reply to Andreas Haak
Re: Trojan signature quality of certain AV product Well Wayne,
Its way more difficult to patch code than to patch a simple string.
Of course you can circumwent any anti-* software if you know what they are searching for. But its a big diffrence between changing the case of a letter and changing the code of the file.
You can make it easy for every script kiddie out there to circumwent your product or you can make it as difficult as possible.
We can see you choosed the more unsecure but easier way for your product (as many others, too) ... .
--
Cause Wayne edited his posting, i just add my reply  .
>Don't be fooled by Andreas. He's been writing his own
>anti-trojan scanners for the last couple of years and is
>posting here telling you that various anti-trojan scanners
>are "vulnerable" to having trojans modified so that they
>can no longer be detected.
Oh Wayne ... Is my english really that bad that you are unable to understand what I said? Again ...
This thread is about QUALITY OF SIGNATUREs. High quality signatures have in fact 3 characteristics:
- They are NOT text based.
- They don't produce false positives.
- They are specific enough to ensure a correct cleaning.
Searching for a text string inside a file as a signature is in fact every time the weakest signature. Its a fact that a human will first edit the human readable parts of the nasty to make it undetected. If you want to believe it or not - its a FACT.
I simply tried to show what programs uses such weak signatures. McAfee, NAV, BitDefender, AntiVir and many more are using them and TDS-3 uses such weak textbased signatures, too. I guess I can hardly not compare it to other AT programs cause TDS-3 is the only signature based one. Most of the others uses finger prints.
I already said it. OF COURSE YOU CAN MAKE EVERYTHING UNDETECTED. You have to search for something and if you know what a program is searching for its not a big deal to make it undetected. We had a similar discussion at this board in one of the blaster remover threads.
But in fact disassembling and reassembling code that is needed to circumwent a binary signature is way more difficult than simply use the Search and Replace function of the hexeditor of your choice.
I hope you agree at this point.
In fact high quality signatures are IMPORTANT. In fact script kiddies gave it up to search for exotic packers or crypters to get pass an anti-virus or anti-trojan programm. They try to make their "toys" undetected using patches etc. . And to make the creation of this patches as hard as possible its NECCESSARY to add high quality signatures.
>WHAT HE ISN'T TELLING YOU is that _all_ scanners - his
>included - are equally 'vulnerable', so he's just shooting
>himself in the foot.
I said this several times inside the discussion. Perhaps you need some new glasses?
>Andreas simply chose a signature that he knew TDS was using
>so he can keep up with his monthly spate of attacks on TDS.
Nonsense. I described above why this one was chosen. Cause it was unpacked and detected by McAfee, NAV and TDS-3. Didn't want to waste time preparing a backdoor for every single program. In fact this test can be done with SubSeven, NetBus and many other wide spread backdoors, too.
>I could easily modify any trojan so that it gets past any
>detection that Andreas's scanner has
In fact ANTS has discontinued several months (or even years) ago. I can get viruses past Microsoft Anti-Virus that was shipped with MS DOS 6.x, too. But nobody will be interested in this.
You simply don't want to understand Wayne and I can understand you. Showing how weak your signatures are and making your lies public is not good for you buisness ... .
>a matter of minutes, but I don't go around attacking his
>software in an effort to promote mine - some of us actually
Where did I do any advertisment?
>attacking TDS if he didn't think it was a quality scanner
>that represented some sort of threat to his own scanner,
Who is sitting on a high horse now?
--
Denn wenn man etwas liebt, was man eigentlich kaum bekommen kann, was unerreichbar fern erscheint, wird man ein Stück traurig. Wird man ein Träumer. Oder wird man ein Radikaler. Oder ein radikaler Verwirklicher seiner Träume ... .
[text was edited by author 2003-08-19 12:24:15] |
