Author Topic: Trojan Hunter 3.0 fully compromised !  (Read 6209 times)

0 Members and 1 Guest are viewing this topic.

Johny23

  • Guest
Trojan Hunter 3.0 fully compromised !
« on: September 18, 2003, 08:38:57 AM »
Read the following paper (in the middle of page)

http://www.astalavista.com/trojans/library/trojans/misc/


After reading this > be smart and buy another AT.

Johny23

Hornus Continuum

  • Guest
Re:Trojan Hunter 3.0 fully compromised !
« Reply #1 on: September 25, 2003, 04:43:02 AM »
I followed the link in the previous post.  The article started me seeking information about ADS's, Alternate Data Streams.  For those that don't know, ADS's provide a means to attach additional content to a file on NTFS-formatted hard drives.  To see an example of this: select a file, bring up its Properties Box, and select the Summary tab.  The data for the fields listed there, such as Title, Keywords, Comments, and so on, are stored in an ADS named
?SummaryInformation.  (The '?' is an unprintable character.)    Another typical use is to attach a thumbnail to an image file.  As indicated, this content can be anything, text or binary.  Text content can be harmless, like the file attributes above, or it can be dangerous -- a malicious script; binary content can be something benefical, for example an audio stream, or it can be a malicious ActiveX Control  or executable.

Did you ever wonder why an NTFS-formatted disk has so many files with a zero-byte size?  The content in ADS's (there can be more than one) is attached to a file virtually invisibly.  The DIR command and Explorer only display the size of the file's main data stream, and they do not display the names of any ADS attached to a file.  Data can be added to a file by an ADS-aware application like Notepad, which can also be used to view and edit it if you know the name.  Once created, an ADS is unaffected by changes to the file such as editing, copying, moving, and renaming; the only way to to eliminate it is to delete the file or move it to a FAT or FAT32 disk.  (There may be specialized tools available to rename or delete an ADS.)

avast! users will happy to know that it is ADS-aware and can detected malware hidden in an ADS, but only under some circumstances.  I downloaded an EICAR test file (a 70-byte .com file), renamed it to StreamedEICAR_Test.txt, and moved the test virus into an ADS, replacing the original contents of the file with a description of my test.  I scanned the file using the Scan ... command from the Context Window in Explorer, and avast! alerted me to EICAR's presence.  avast! did not warn me when I opened the file for editing and saved it, but this was expected since I don't have avast! configured to scan text files upon opening or creating/modifying.  However, it is configured to scan batch files.  I made a copy of the file, changing the extension to .bat.  To make the new batch file execute without error, I added an @ECHO off command as the first line of the file, placed ECHO at the beginning of each line, and added a PAUSE command as the last line.  I then saved and ran it.  avast! scanned the file when I opened it for editing, when I saved it, and when I executed it; however, it did not detect the presence of the "virus."  But, when I scanned the file manually, avast! alerted.

Regards,
Hornus

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:Trojan Hunter 3.0 fully compromised !
« Reply #2 on: September 25, 2003, 05:41:46 AM »
After reading this > be smart and buy another AT.

I woould not buy Trojan Hunter 3.01, too! If, i would buy Trojan Hunter 3.7! :)
MfG Ralf

Waldo

  • Guest
Re:Trojan Hunter 3.0 fully compromised !
« Reply #3 on: September 25, 2003, 11:29:27 AM »
Quote
I would not buy Trojan Hunter 3.01, too! If, i would buy Trojan Hunter 3.7! :)
Quote

That's correct > the problems with 3.0 are solved along time ago !

trojanhunter V3.7 or V3.6 is again one of the best around.

Waldo