Trojan horse Downloader.Generic.ML

Discussion in 'Computer Security' started by Ron Reaugh, Jun 15, 2005.

  1. Ron Reaugh

    Ron Reaugh Guest

    Wacko....a trojan is a pentration. It makes no difference if it's a wooden
    horse or a wolf in sheeps clothing.
    Did you plunk your magic plonker froggie?
     
    Ron Reaugh, Jun 21, 2005
    1. Advertisements

  2. Ron Reaugh

    Ron Reaugh Guest


    That was a quote. Ask Zvi.
    Guess again.
     
    Ron Reaugh, Jun 21, 2005
    1. Advertisements

  3. Ron Reaugh

    Ron Reaugh Guest

     
    Ron Reaugh, Jun 21, 2005
  4. Ron Reaugh

    Zvi Netiv Guest

    As the French say, "c'est le ton qui fait la musique". What I support is that
    AVG *alerted* you of *something*. Period. Fuzzier than your phrasing, and
    insufficient to declare the event as a true positive..
    "Nefarious" is your subjective interpretation, and as to "not benign", I may
    have contributed to this by telling what I found in the sample you sent. Yet
    what you seem to not understand is that there are quite well established rules
    as to what is a true, or false positive, in terminology used in these groups.
    Like it or not, you'll have to adapt to if you want to be understood.
    I wouldn't call a thread with 120 posts a brush off, and as for your
    disappointment, blame yourself, as you didn't really provide much to chew on
    (the NULL sample was good, of course, but that isn't enough). You failed to
    produce the most important piece of information to resolve the case: The
    circumstances under which the NULL file is created.

    Regards, Zvi
     
    Zvi Netiv, Jun 21, 2005
  5. Ron Reaugh

    Zvi Netiv Guest

    Ron is quoting me, in message <>:

    After explaining why the flagging of C:\null by AVG as Qdown.s is a false
    positive, I added: "Lastly, the NULL file isn't benign from its content. But
    it isn't the real thing either, ..."

    On hindsight, I should have used "ambiguous" or "probably not innocent" rather
    than not benign. What called for that observation is the cumulative weight of
    the followings:

    - The sample contains explicit reference to a file named "NULL".

    - The sample contains reference to the Wininit procedure, in the same context.
    This procedure is normally used in early Windows versions for completing pending
    tasks during Windows startup, and couldn't execute when Windows was still
    running, like software installation or removal.

    - There is reference to a DLL named QDOWAS2 in the sample. The similarity of
    the file name to Qdown, the Trojan that some scanners suggest it is, didn't seem
    accidental to me.
    I tend to agree with Ron, that the smoke is from a gun, but he failed to produce
    evidence that will help exposing that gun. Without it, what we have is nothing
    more than the evidence that there were WMD in Iraq on the eve of the second Gulf
    War. What we need is info on what creates the NULL file and how, and the way to
    obtain it is by replicating its creation, under controlled conditions. Instead,
    Ron is wasting his time (and ours) in reiterating already exhausted evidence.

    For the moment, this thread is leading nowhere, and going in circles.

    Regards, Zvi
     
    Zvi Netiv, Jun 21, 2005
  6. Ron Reaugh

    Ron Reaugh Guest

    evidence.


    NO, AVG is my expert. AVG flagged it. AVG may have detected virus like
    activity and/or now considers THAT file to be a nasty. AVG's report/flag IS
    the evidence.
    The is no evidence that AVG made an error. In fact all the evidence
    suggests that AVG performed admirably.
     
    Ron Reaugh, Jun 21, 2005
  7. Ron Reaugh

    Zvi Netiv Guest

    You certainly fooled me. I see now that I misunderstood your original post.
    Quoting from:

    "So where and how did this file C:\NULL that AVG claims is Trojan horse
    Downloader.Generic.ML appear from? Was it really there since 5/5 but went
    unnoticed ... OR did something penetrate all the firewalls and suddenly spawn
    this file ... What likely happened here?"

    Speaking of consistency and logic ... ;-)

    Regards, Zvi
     
    Zvi Netiv, Jun 21, 2005
  8. Ron Reaugh

    Ron Reaugh Guest

    Precisely, exactly. All that confirms my position from the beginning. All
    your posts seem to confirm the fact that there's substantial evidence that
    AVG reported at least the smoke of the smoking gun. Ergo the claim that
    there was some completely false positive report is grossly misleading. The
    evidence is that AVG reported a true positive.
     
    Ron Reaugh, Jun 21, 2005
  9. Ron Reaugh

    kurt wismer Guest

    not to the best of my knowledge, no...
    ??? we're talking about cracking wep security and thereby rendering all
    supposed 'encrypted' traffic easily viewed in plaintext form...
    if your wireless access point is using wep security then there's the
    vulnerability right there... does it allow a cracker to gain access to
    your system? perhaps not... does it allow a cracker to read all your
    network traffic in an unprotected form? yes, yes it does...

    not all security breaches result in system penetration...
     
    kurt wismer, Jun 22, 2005
  10. Ron Reaugh

    kurt wismer Guest

    while it's true that there isn't exact consensus on the definition of
    trojan, this isn't anywhere near where attempts at consensus were going...

    "trojan" is a short form of "trojan horse program"... therefore roger is
    correct to say that trojans are programs...
     
    kurt wismer, Jun 22, 2005
  11. Ron Reaugh

    kurt wismer Guest

    so data diddlers don't exist?
    what i said is technically correct... malware *can* make arbitrary
    changes - there may not yet be a malware instance that changes bytes X,
    Y, or Z in a file but there's nothing preventing one from being made...

    there is malware the corrupts and/or destroys data - you can contest the
    existence of such malware if you like, but you'd be tilting at windmills...
    actually, i don't think they are the same thing... i don't believe users
    are incapable of such, i believe they are unwilling...
    sophos used propaganda to justify being a less attractive option? that
    really doesn't make a whole lot of business sense... you (the general
    you) can't claim that action X can't be done satisfactorily so you won't
    do it and expect potential customers to accept that when most other
    vendors provide products that do perform action X...
    you can't recover overwritten objects merely from an integrity
    fingerprint...

    [snip]
    i was not pointing at you... i was merely stating a preference... while
    i can recall plenty of things you've said that i disagreed with, i can't
    recall you directly saying anything that was blatantly snake-oil...
    i'm afraid i'm not yet convinced of that...
     
    kurt wismer, Jun 22, 2005
  12. Ron Reaugh

    Zvi Netiv Guest

    We seem to have a severe case of [mis] comprehension here.

    [sarcasm and noise snipped]
    Exactly what? Were your questions answered? If yes, then would you mind
    sharing that information with the rest of us?

    Regards, Zvi
     
    Zvi Netiv, Jun 22, 2005
  13. Ron Reaugh

    Art Guest

    I'm wondering if ISPs are starting to crack down on the use of
    wireless. There seems to be a lot of "freeloading" going on, for one
    thing, where wideband customers are allowing their friends nearby to
    share their ISP service. Plus, crackers with high gain antennas may be
    able to freeload wideband services from various nearby sources with
    a bit of additional detective work.

    And it seems to me that hackers could glean enough info to penetrate
    many "typical user" unsecured systems.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Jun 22, 2005
  14. Ron Reaugh

    Zvi Netiv Guest

    Not really, and there are good reasons why not. The most famous data diddler,
    is the now extinct Ripper boot virus. Even at the peak of the boot infectors
    short era, Ripper was more of a conversation piece than a real threat (Simon
    Widlake would mention it often). The reason for its rarity is that
    destructiveness counters prevalence: The more destructive malware is, the
    lesser are its chances to survive and spread.
    Only a fool will claim that there exist no malware that corrupts data, but a
    producer must really have no sense to optimize an AV product for such rare
    singularity.

    [...]
    I am both willing and experienced, but unable to tell viral from benign if all
    that I could use was Stiller's Integrity Master.

    [...]
    Sophos decision to not disinfect was a business decision, and the "ideology"
    attached to was propaganda. Fact that it worked!
    You seem having forgotten the very basics of virus and antivirus technology.
    Here is a brief reminder (state of the art ca '95) :

    The definition of virus ( www.invircible.com/glossary.php ) is: "A virus is
    parasitic computer code that replicates by producing functional copies of itself
    into host files. The infected hosts inherit the replication ability of the
    affecting virus, in addition to maintaining the original functionality of the
    host program or file."

    The last part requires that everything that was contained in the program in its
    preinfected state, be still there, plus the necessary changes made by the virus
    to incorporate its own code in the program flow. A direct deduction is that all
    virus infections are theoretically reversible, by reverting the changes made to
    the program, and since nothing from the original code was lost. This is, in a
    nutshell, the entire theory on which virus disinfection and recovery is based
    upon.

    As to disinfection vs integrity restoration, everything disinfection can do,
    restoration will do better, and much of what restoration will do, can't be done
    by disinfection at all (like disinfection from highly polymorphic viruses, or
    from new ones).

    [...]
    I didn't expect you will, yet ... ;)

    Regards, Zvi
     
    Zvi Netiv, Jun 22, 2005
  15. Ron Reaugh

    Chris Salter Guest

    How would they do that?

    HINT: They cannot.
     
    Chris Salter, Jun 22, 2005
  16. Ron Reaugh

    Art Guest

    ??? You're saying they can't drop customers using wireless? Why not?
    It would be a somewhat difficult business decision to make, but I see
    nothing to stop them if they decide to head in that direction.

    Art

    http://home.epix.net/~artnpeg
     
    Art, Jun 22, 2005
  17. Ron Reaugh

    Chris Salter Guest

    If you are talking about ISPs giving out broadband access via wireless
    you are correct. The topic however was about people cracking wireless
    access points, routers etc so I assumed you were talking about. (ie.
    people on ADSL/DSL/T?/E? wired connections sharing out using an AP)
    If so then yes I am saying its impossible to stop customers using wireless.
     
    Chris Salter, Jun 22, 2005
  18. Ron Reaugh

    Arthur Hagen Guest

    You forget that a virus can *replicate* the functionality of a program
    without keeping it, in which case there's nothing to revert back to.
    This is most certainly true for most boot virus, and also some file
    virus do this.
    Or disinfection where the original is not retained at all.
    The problem is with the word "nearly". Just for fun, place the eicar
    test string in an NTFS or XFS stream for a file, and see how many
    "properly implemented" real time integrity monitors will catch it. Or
    do a prelink/requickstart of executables and libraries and see how many
    of the monitoring programs that will go nuts because the files have
    changed.

    (So far I know of only *one* AV product that breaks down a file into
    different hunk types and only scans the relevant bits. And it doesn't
    do monitoring. And only *one* product that checks streams, and it's not
    an AV product, but an anti-spyware product.)

    Regards,
     
    Arthur Hagen, Jun 22, 2005
  19. Ron Reaugh

    Roger Wilco Guest

    But now we are starting to see so-called Warhol worms with destruction
    triggered at peak population. Were talking malware here not just
    viruses.
    [snip]

    I just knew that "overwriters are not viruses" would be revisited, but
    at least it isn't me this time.
    For those that might be interested, here's this from:

    www.madchat.org/vxdevl/papers/avers/afl01.pdf

    (a very good read technically - I found the English a little "bumpy"
    though)

    ***************

    Definition 4.1.: A computer virus is defined as a part of a program
    which is attached to a
    program area and is able to link itself to other program areas. The code
    of computer virus
    has to be executed when that program area is to be executed which the
    virus has been
    attached to.

    Viruses have not to execute the original part of the program area, but
    the viruses often do
    it because they want to be unobserved. In this case the original part of
    the program area
    has to be repaired by the virus. In the opposite case the virus may
    overwrite the program
    area thus the virus destroys it.

    ****************

    The definitions of "virus", "worm" and "trojan" are often tailored to
    the specific needs of the area of technology the expounding person
    inhabits. IMO this "Mathematical Model of Computer Viruses" should be
    the thread their "virus definition" fabric is woven from. If the need
    arises (and it apparently has) to create a dichotomy between viruses
    with "reversible virus infection methods" to those with "irreversible
    virus infection methods" and futher with those with "neuterable virus
    infection methods", then they should define new words to describe them
    and not redefine existing words.
     
    Roger Wilco, Jun 22, 2005
  20. Ron Reaugh

    Art Guest

    Why?

    Art

    http://home.epix.net/~artnpeg
     
    Art, Jun 22, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.