Informal Trojan Detection Test # 1

 

I
N
D
E
  X  

Table of Contents

 

A Note About These Tests (2/1/03)

The anti-trojan tests found on this page and the Informal Trojan Detection Test # 2 page are now a year old. All of the applications that were tested have been updated since these tests were performed -- some several times. In many cases, new functionality has been added to those applications. Consequently, the relevance and meaningfulness of these tests is much less than it was a year ago when these tests were first posted. Please keep that in mind as you look over these tests.

Also, due to space limitations on the UIUC server which hosts these pages, the screenshots for each test result have been removed. Thus, clicking on the numbered links to view screenshots will give you a "page not found" error. If you are interested in obtaining a complete copy of the tests with the screenshots as originally posted, please contact me at eburger68@myrealbox.com . I am more than happy to supply interested parties with complete copies of the tests (probably burned onto a CD-R and delivered via snail mail).

Introduction/Overview

Curious about how well anti-virus and anti-trojan applications perform against a well known Remote Administration Trojan (RAT) like Sub7? I was. In fact, I was especially curious to see just how effectively popular anti-virus and anti-trojan applications would perform when confronted with trojan servers that had been packed with any one of the many executable compression programs available on the Internet. 

So, I ran some tests. I used the Sub7 2.13 MUIE server, packed several different ways (and even left completely unpacked in one case). I selected seven programs to test: four dedicated anti-trojan programs and three standard anti-virus programs. I also decided to do more than just scan files on the hard drive, so I ran tests to check the performance of these applications' real time monitoring components.

The results of these tests are detailed below. Before you jump to any hasty conclusions based on what you see below, please take the time to read the Disclaimers & Limitations section at the end of this document.

I hope you find these tests interesting and useful. 

Don't miss the followup to this set of trojan detection tests:

Informal Trojan Detection Test # 2 (Mar 15 '02)


Applications Tested

Seven anti-virus or dedicated anti-trojan programs were tested. Every attempt was made to get recent engine and database updates for each program. Configuration options of note are detailed for each application.

The Cleaner 3.2 build 3213 Database 3278 (1/2/02)
Notes: Scan inside compressed files & Scan for hidden executables turned on.

Lockdown Pro v. 1.1.0 (8.18) sigsl2k - 597826 kb (1/6/02)
Notes: Scan sensitivity = High; Scan all file extensions on.
           Ran in Advanced Mode (except Memory Scan [B] test)
           Security Level = High
           Trojan Scanner, Network Monitor, Registry Monitor, & File Monitor all enabled w/ default settings.

Anti-Viral Toolkit Pro 3.5.1.5 cc0201051215.exe/wc0201051215.exe
Notes: Objects: Memory, Sectors, Files, Packed Files, Archives, Mail Databases, Plain Mail formats
           File mask: All files
           Options: Code Analyzer

Innoculate IT PE 5.2.9.0 Minor Dat file: 1740 (1/5/02)
Notes: Scan Options: Heuristic Scan; Include subfolders
           File types to scan: All files
           Memory: Enable memory scanning

F-Prot for DOS 3.11b Sign.def / Sign2.def (12/20/01); Macro.def (12/16/01)
Notes: Files: Dumb scan of all files
           Options: Scan inside archives; Scan compressed executables; Scan a normal system; Use heuristics

Tauscan 1.6 build 073 Trojan Database: 02 January 2002
Notes: Objects: Memory; Files; Archives
           File Types: All Files
           Advanced Trojan Analyser - Scan Priority = highest (except Test # 2-A & Test # 2-B in which the
                Advanced Trojan Analyzer was disabled)

Trojan Defense Suite 3 v. 3.20 Radius.td3 06-01-02 (Jan 6, 2002)
Notes: (see screen shots for config: 1, 2)

Note: All programs' options were left at their defaults unless noted above or in specific tests below..

For links to all of these applications on the web, see the Links section at the end of this document.

 

Files Tested

Tests were performed with six files, each a version of Sub7 2.13 MUIE server, a common RAT (Remote Administration Trojan). Only the third file (THAT-PACKED.EXE)  was left un-manipulated. All other server files were compressed or edited as described below.

Location/FILE Description
G:\temp\that\THAT.EXE Sub7 2.13 MUIE edited, but unpacked
H:\temp\that-aspack\THAT-ASPACK.EXE Sub7 2.13 MUIE packed w/ ASPack 2.11d
I:\temp\that-packed\THAT-PACKED.EXE Sub7 2.13 MUIE packed (as shipped)
J:\temp\that-rar\THAT-ASPACK.RAR Sub7 2.13 MUIE packed w/ ASPack 2.11d, RAR'ed w/ WinRAR 2.80
K:\temp\that-upx\THAT-UPX.EXE Sub7 2.13 MUIE packed w/ UPX 1.20
L:\temp\that-asprot\THAT-ASPROT.EXE Sub7 2.13 MUIE edited, then packed w/ ASProtect 1.2

To compress servers, servers were first packed with one of the compression programs listed above with the programs' default options. In the case of THAT-ASPROT.EXE, the server was compressed w/ ASProtect with the following options: Max compression & Preserve extra data

The packed servers were then edited with the Sub7 2.13 MUIE EditServer.exe to append server configuration options.  Server configuration options were the defaults (startup method: WIN.INI, installation: use random name, automatically start server on 27374). In the case of THAT.EXE (the unpacked server), the configuration options were: startup method: WIN.INI & registry-Run, installation: THAT-EDIT.COM, automatically start server on 20000.

For links to all the compression programs used, see the Links section at the end of this document.

 

Tests Performed

Each application was run through a set of three tests. In each test, all six of the server test files detailed above were either scanned or launched. Thus, each application (w/ the exception of two) was tested a total of 18 times (3 main tests x 6 test files = 18 total tests). F-Prot and TDS-3 were excluded from Test # 2-B (see below for more details about the reasons). 

Test Description
Hard Drive Scan simple scan of hard drive
Memory Scan (A) monitoring started, then server loaded
Memory Scan (B) server loaded, then monitoring started

Note: No cleaning/disinfecting of any type was performed by the programs being tested. The programs were configured  to "report only" and/or prevent program load. Any trojan servers launched were killed from memory with ProcView and changes to auto-start locations (the Registry, WIN.INI) were reversed with MSCONFIG.EXE or System Mechanic. Finally, any trojan servers copied to C:\WINDOWS were deleted.

 

General Notes

Every attempt was made to regularize the system on which the tests were performed as well as the conditions under which they were performed.  The tests were conducted over four days (1/6/02 - 1/10/02). No new applications were installed during that time on the test system. Neither were any major system configuration changes made.

System Description P166MMX w/ 64bm RAM; Windows 98 SE (all updates), Internet Ecplorer 6.0 (all updates)., Microsoft Office 2000 (all updates).
Running Programs AtGuard 3.22.11 (iamapp.exe), Microsoft Office 2000 Toolbar (msoffice.exe), Image Composer 1.5 (imgcomp.exe), ProcView (prcview.exe), Metapad (notepad.exe). Also (occasionally): System Configuration Utility (msconfig.exe), System Mechanic (sysmechanic.exe). 

All other programs (including active monitoring/scanning programs) shut down except program being tested and default Windows programs (e.g., systray.exe, explorer.exe, et al).
Cleaning/Disinfecting No cleaning/disinfecting of any type was performed by programs being tested. Programs were configured  to "report only" and/or prevent program load.
Killing Servers ProcView was used to kill running servers whenever necessary. Any servers copied to C:\WINDOWS were manually deleted.
Editing Auto-start Locations Auto-start locations were edited and cleaned up with either MSCONFIG.EXE or System Mechanic 3.6f. 
Monitoring Connections Network connections were monitored w/ AtGuard 3.22.11 (Statistics).

 

Test Results Key

In the "Detect?" row of the test results below, a 1 indicates that a trojan was detected. You can click on the 1 to see the corresponding screenshot. 1, 2 indicates that a trojan was detected, and that there are multiple corresponding screenshots (multiple numbers do not indicate multiple trojans detected). 

--- indicates that no trojan was detected.

In all cases, please read the "Comments:" that follow the "Results:" for an explanation of the "Results:" and the corresponding screenshots.

 

Test #1: Hard Drive Scan

The first test involved a simple file scan of each drive on which the trojan servers were loaded. This test forced the applications to rely exclusively on "signature" scanning. Scans were conducted one drive at a time. Most drives were empty of all other files and folders except the trojan server files and folders in which they were stored. The only exception was  L:\ , which contained the swap file, the TEMP directory, the Internet Explorer Temporary Internet Files folder, and the Outlook Express mail store.

 

The Cleaner 3.2

Notes: The main scanning application was loaded and a series of scans performed.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? --- --- 1 --- --- ---

Comments: The Cleaner detected only the default server, Packed as shipped. Surprisingly, it even missed the completely Unpacked server. This performance is worse than that of every other application tested, even the straight anti-virus programs.

 

Lockdown Pro 1.10

Notes: The main scanning application was loaded in "advanced mode" and a series of scans performed.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1 --- 1 --- --- ---

Comments: Lockdown Pro detected the Unpacked server and the default Packed server. It missed all the other packed servers. Presumably, the Unpacked and Packed servers would be the easiest to detect. This performance puts it roughly on par with two of the three straight anti-virus programs tested and Tauscan.

 

AVP 3.5

Notes: The main scanning application was loaded and a series of scans performed.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1 1 1 1 1 ---

Comments: AVP missed only one server: the server compressed with ASProtect. This performance puts it near the top for this particular test, along with TDS-3.

 

Innoculate IT PE 5.2.9

Notes: The main scanning application was loaded and a series of scans performed.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1 --- 1 --- --- ---

Comments: Innoculate IT PE was similar to Lockdown and F-Prot in that it detected the Unpacked server and the server Packed by default.

 

F-Prot for DOS 3.11b

Notes: The main scanning application was loaded in a DOS box and a series of scans performed.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1 --- 1 --- --- ---

Comments: F-Prot turned in a performance similar to Lockdown and Innoculate IT PE, catching the Unpacked server and the server Packed by default.

 

Tauscan 1.6

Notes: The main scanning application was loaded and a series of scans performed.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1 1 --- 1 --- ---

Comments: Tauscan picked up the Unpacked server, as well as the server compressed with ASPack, and even the ASPack-ed server embedded with the RAR archive. Inexplicably, Tauscan missed the default Packed server.

 

TDS-3

Notes: The main scanning application was loaded and a series of scans performed.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1 1 1 1 1 1

Comments: TDS-3 missed nothing, turning in the best performance for this particular test of all seven applications tested.

 

Test #2-A: Memory Scan # 1

In this test the application's monitoring component was started, and then each trojan server was loaded into memory one at a time. This test allowed the applications to detect trojan servers not only on their signatures, but also on the changes to auto-start locations, as well as their attempts to set up to listen in on ports.

When launched, each trojan server attempted to copy itself (usually w/ a randomly chosen name) to C:\WINDOWS, thus leaving two copies of itself on the hard drive: one in the original location, one in C:\WINDOWS. Each trojan server then attempted to launch the renamed copy it had made of itself from C:\WINDOWS. Finally, each trojan tried to edit the Run= line of WIN.INI to launch the renamed copy of the server in C:\WINDOWS on reboot.. In the case of the unpacked THAT-UNPACKED.EXE, the server also attempted to add the copied server to the Registry auto-start location HKLM\SOFTWARE\Microsoft\Windows\Current Version\Run.

In the case of the RAR'd THAT-ASPACK.RAR, the RAR file was opened with WinRAR 2.80 and then the THAT-ASPACK.EXE contained within the archive launched from within the RAR file. This process of launching the server from within the RAR file created an additional copy of the server in the TEMP directory (L:\TEMP) on top of the original server file and the renamed copy in C:\WINDOWS

Given the original and copied files, as well as the changes to the auto-start locations, there were several things that could be detected:

With one exception, none of the applications tested ever identified the un-RAR'd file in the TEMP directory. 

If trojan servers successfully loaded, they were killed with ProcView, copied servers deleted from C:\WINDOWS, and any changes to auto-start locations reversed between tests. 

 

The Cleaner 3.2

Notes: TCActive & TCMonitor were both loaded and minimized to the tray for this test. TCActive monitors file processes. TCMonitor monitors auto-start locations and other Windows system files for changes.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1, 2 1, 2 1 1 1 1

Comments: The Cleaner caught all the renamed/copied servers in one way or another. TCMonitor was the application that did the trick in five of the six tests, catching the changes to the auto-start locations. Nonetheless, TCMonitor still allowed the servers in these instances to be loaded into memory (see the 2nd screenshot for the ASPack server for an example). Moreover, TCMonitor never identified the original file, only the renamed/copied file in C:\WINDOWS (referenced in the changes to the auto-start locations). The only test in which TCActive intervened and stopped a trojan server from loading based on its signature was with the original Packed server. 

 

Lockdown Pro 1.10

Notes: The full Lockdown Pro application was loaded in "advanced mode" and minimized to the system tray.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1, 2 1, 2 1, 2 1, 2 1, 2 1, 2

Comments: Lockdown Pro consistently provided several warnings:

In the case of the Unpacked and default Packed server, Lockdown Pro also identified:

Although Lockdown allowed the trojan servers load, it provided the option to kill the Internet Servers, undo the Registry changes (and in two cases) remove both offending files.

 

AVP 3.5

Notes: AVP Monitor was loaded and minimized to the tray.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1 1 1 1 1 ---

Comments:  AVP Monitor detected five of six original files based on their signatures and prevented them from loading. It missed the file compressed with ASProtect entirely (and did not flag the changes to WIN.INI). Impressively, though, it detected the RAR'd file when just the RAR archive was opened -- there was never the opportunity even to launch the ASPack-ed server from within the RAR archive. Every other application that caught the RAR'd server only caught it after it was launched from within the RAR archive.

 

Innoculate IT PE 5.2.9

Notes: Real Time File Monitoring was enabled. Specified Virus actions for Real Time File Monitoring were: Report and deny access.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1 --- / --- 1 --- --- ---

Comments: Innoculate IT PE caught two of the original files based on their signatures and prevented them from loading.  In the four other cases, the original files launched, and the renamed/copied servers established themselves on a port (see this screenshot for an example).. Innoculate IT PE also never provided any alerts to changes to auto-start locations.

 

F-Prot for DOS 3.11b

Notes: F-Prot was excluded from this test, as it does not have a real time monitoring component.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? n/a n/a n/a n/a n/a n/a

Comments: Readers should keep in mind that F-Prot for DOS is not designed to act as the primary anti-virus protection on a Windows system. It is designed to be used as a backup anti-virus program, run from straight DOS (not a DOS box) when all other means fail or when a system is so completely compromised that it won't even boot.

 

Tauscan 1.6

Notes: TauMonitor was loaded and minimized to the tray. The Advanced Trojan Analyzer option was disabled. The Advanced Trojan Analyzer option severely bogs down the system, and is not thus a realistic (or recommended) option for real time monitoring.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1 1 --- 1 --- ---

Comments: TauMonitor detected three of the servers based on their signatures and prevented them from loading, but it never flagged the original files or prevented them from starting. With the Unpacked and ASPack-ed servers, it detected the renamed/copied files in C:\WINDOWS.  With the RAR'd server, it detected the unarchived file in the TEMP directory (the only application ever to flag that temporary file). Taumonitor never provided any alerts to the changes in auto-start locations.

 

TDS-3

Notes: TDS-3 was excluded from this test. Although TDS-3 does have a real time monitoring component (Execution Protection), that component is disabled in the trial version that was used for these tests.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? n/a n/a n/a n/a n/a n/a

Comments: It would be interesting to test TDS-3's Execution Protection to see if its performance was consistent with TDS-3's other scanning capabilities. With this trial version, such is not possible.

 

Test #2-B: Memory Scan # 2

In this test trojan servers were loaded into memory one at a time, and then each application's monitoring component was launched. This test allowed the applications to detect trojan servers based not only on their signatures, but also on the changes to auto-start locations, and their listenening on pre-designated ports.

When launched, each trojan server copied itself (usually w/ a randomly chosen name) to C:\WINDOWS, thus leaving two copies of itself on the hard drive: one in the original location, one in C:\WINDOWS. Each trojan server then launched the renamed copy it made of itself from C:\WINDOWS. Finally, each trojan edited the Run= line of WIN.INI to launch the renamed copy of the server in C:\WINDOWS on reboot.. In the case of the unpacked THAT-UNPACKED.EXE, the server also added itself to the Registry auto-start location HKLM\SOFTWARE\Microsoft\Windows\Current Version\Run.

In the case of the RAR'd THAT-ASPACK.RAR, the RAR file was opened with WinRAR 2.80 and then the THAT-ASPACK.EXE contained within the archive launched from within the RAR file. This process of launching the server from within the RAR file created an additional copy of the server in the TEMP directory (L:\TEMP) on top of the original server file and the renamed copy in C:\WINDOWS

Given the original and copied files, as well as the changes to the auto-start locations, there were several things that could be detected:

None of the applications tested ever identified the un-RAR'd file in the TEMP directory. 

Between tests, the trojan servers were killed with ProcView, copied servers deleted from C:\WINDOWS, and any changes to auto-start locations reversed. All monitoring programs were closed in between tests and then restarted after the next trojan server was loaded.

 

The Cleaner 3.2

Notes: TCActive & TCMonitor were both loaded for this test. TCActive monitors file processes. TCMonitor monitors auto-start locations and other Windows system files for changes.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? --- --- 1, 2, 3 --- --- ---

Comments: The Cleaner's TCActive caught one renamed/copied file in memory based on its signature (though it missed the original file). TCMonitor never flagged any changes to auto-start locations, even when TCActive flagged a trojan in memory. With the one Packed trojan server that TCActive did spot loaded in memory, the main scanner for The Cleaner was also run on a folder known to be free of viruses and trojans.  Even though TCActive was able to spot that Packed server in memory, the scanner's memory scanning missed it entirely.

 

Lockdown Pro 1.10

Notes: The full Lockdown Pro application was loaded in "simple mode."

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1 1 1 1 1 1

Comments: Lockdown Pro consistently provided several alerts when launched with a trojan server in memory:

In the case of the Unpacked and default Packed server, Lockdown Pro also identified the renamed/copied files based on their signatures. Lockdown never identified the original files.

 

AVP 3.5

Notes: AVP Monitor was loaded.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1,2  1 1, 2 1 1 ---

Comments: This is undoubtedly the most difficult case of them all. In five of the six tests, AVP Monitor did not initially catch the trojan servers loaded in memory when AVP Monitor was started, nor even when the AVP Scanner was run on a folder. The minute any other process tried to interact with the renamed/copied file, however, it was caught. (AVP Monitor never flagged the original files.)

What's important to recognize, though, is that when AVP Monitor did flag the renamed/copied file, it was checking or referencing files on the disk, not files loaded in memory. As noted above, the AVP Scanner (which is configured to scan memory) did not find any trojans when they were loaded into memory. AVP Monitor, by contrast, would catch trojans if another process "touched" them on the disk. It caught the trojan when System Mechanic and ProcView "touched" the renamed/copied file, both when the trojan was loaded into memory and even when it was not.

To illuminate what was going on,  SysInternals' FileMon utility was run while AVP Monitor was flagging trojan servers that were loaded into memory prior to AVP Monitor's being loaded. The first log records System Mechanic's StartUp Manager verifying startup files while AVP Monitor is enabled. This  first log shows System Mechanic attempting to verify the location of the renamed/copied file in C:\WINDOWS, and then that same file apparently being checked by AVP (note the series of AVP*.TMP files). Oddly, FileMon identifies the prcoess opening the AVP*.TMP files as System Mechanic, not AVP Monitor.

The second log is also interesting, in that it shows System Mechanic's StartUp Manager verifying files while AVP Monitor is not running. At the top of the second log one can see System Mechanic verifying the location of the trojan file in C:\WINDOWS, but notice the absence of AVP*.TMP files, indicating (obviously) that no checking by AVP Monitor is going on.

What is telling, though, is what happened when no trojan was loaded into memory and System Mechanic's StartUp Manager attempted to verify auto-start files. Once again, AVP Monitor flagged the renamed/copied file in C:\WINDOWS, clearly indicating that it would flag the file though it was not loaded in memory. This screenshot shows that no trojan is loaded into memory or listening on a port, yet AVP Monitor still identifies the renamed/copied file in C:\WINDOWS when System Mechanic attempts to verify it. Thus, AVP Monitor was relying on file accesses to flag the trojan servers in C:\WINDOWS, not any active memory scanning of trojan servers loaded in memory.

The obvious question is: how much protection does this method of checking files by AVP Monitor realistically provide on a system with an active trojan loaded into memory prior to AVP Monitor's being started? 

Let's take a worst case scenario: let's suppose a trojan server manages to load on a user's system before AVP Monitor is started. Let's also suppose that this user has no personal firewall, or that the user's personal firewall has somehow been compromised, allowing the trojan unfettered access to the Internet. The question becomes: what happens when a nefarious cracker spots the open port with the trojan server listening on it and attempts to connect to the trojan server? Does that connection cause Windows or the trojan server itself to reference the file on the disk, to "touch" it in any way? If the connection attempt does cause the file on the disk to be referenced, AVP Monitor should alert the user. If not, then the connection attempt will be undetected and the user's system will likely be fully compromised.

What the answer to the question posed in this "worst case scenario" is, I don't know. I do not have the means or the time to test this scenario at the present moment. It would be interesting to have a knowledgeable programmer comment on the scenario, though.

 

Innoculate IT PE 5.2.9

Notes: Real Time File Monitoring was enabled. Specified Virus actions for Real Time File Monitoring were: Report and deny access. As Real Time File Monitoring is run through a VXD that is loaded during Windows startup, the system was rebooted in between tests and trojan servers were launched during reboot from HKLM\Software\Microsoft\Windows\Current Version\Run

This testing process was not completely identical to the tests performed with the other applications in the Test # 2-B, as there was a very real chance that the VetMon9x.vxd managed to load before the trojan server was launched from HKLM\...\Run. If nothing else, this aspect of Innoculate IT PE's monitoring points up the real advantages of loading real time monitoring components very early in the Windows startup process. When the user enables Real Time File Monitoring, Innoculate IE PE forces a reboot and then loads its monitoring components very early, giving it a greater chance of catching malware applications launching at Windows startup (provided, of course, that its signature scanning capabilities are up to snuff).

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1 --- 1 --- --- ---

Comments: Innoculate IT PE caught the renamed/copied Unpacked and Packed servers on reboot based on their signatures -- it missed the other four trojan servers entirely. It also never flagged any changes to auto-start locations, nor did it ever flag the original files.

 

F-Prot for DOS 3.11b

Notes: F-Prot was loaded in a DOS box and used to run a simple scan of a directory known to be empty of trojans and viruses. F-Prot scanned memory both while it was starting up and at the start of each hard drive scan.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? --- --- --- --- --- ---

Comments: F-Prot for DOS missed every trojan server, both the original and the renamed/copied files. It also never identified any changes to auto-start locations. It should be noted, though, that F-Prot was run in a DOS box, so presumably it would be walled off from main Windows memory areas (though I could be wrong about this).

 

Tauscan 1.6

Notes: TauMonitor was loaded. The Advanced Trojan Analyzer option was disabled. The Advanced Trojan Analyzer option severely bogs down the system, and is not a realistic (or recommended) option for real time monitoring.

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1 1 --- 1 --- ---

Comments: TauMonitor spotted three of the six renamed/copied files. It missed the other three renamed/copied files, as well as all original files. It never flagged any changes to auto-start locations.

 

TDS-3

Notes: The full TDS-3 application was launched. Enabled Startup Scans were: Process File Scan, Process Memory Space Scan, Memory Object Scan, Memory Mutex Scan, Registry & File Trace Scan, & CRC32 System Files Test (see this screenshot for exact configuration).

Results:

File Unpacked ASPack Packed (def) RAR/ASPack UPX ASProtect
Detect? 1, 2, 3, 4, 5, 6, 7 1, 2, 3 1, 2 1, 2 1, 2 1, 2

Comments: TDS-3 consistently provided a wide range of alerts for each and every one of the renamed/copied trojan servers (it never spotted the original files):

Moreover, TDS-3's Netstat clearly showed open ports with listening processes on them, though the user has to initiate this scan herself (it does not automatically launch on startup of TDS-3) -- see this example and this example. (Note that a full set of screenshots has been provided for all alerts only with the Unpacked server -- a limited set of screenshots is provided for the others.) Although the CRC32 System Files scan did not specify the exact changes made to auto-start locations, TDS-3 does provide an Autostart Explorer to edit auto-start locations.

 

Conclusions

In this series of tests with one well known trojan server (in several variations or compressed versions), three applications turned in noteworthy performances: TDS-3, AntiViral Toolkit Pro, and Lockdown Pro. TDS-3 was especially impressive, even though the trial version tested here did not allow for TDS-3's Execution Protection to be put through its paces.

One application turned in a rather disappointing performance: The Cleaner. Its signature scanning was especially lackluster, worse than even the straight anti-virus programs tested, which is troubling given that The Cleaner is billed as a dedicated anti-trojan program that would ideally be used to supplement a standard anti-virus program. 

If nothing else, this series of tests demonstrates the difficulties of dealing with trojans that have been packed or compressed with the many compression utilities out there. Even the best performers in these tests missed some files, leaving potentially dangerous trojan servers lying around on the hard drive, ready to be accidentally or deliberately launched, potential sources of future havoc on the user's system.

Finally, signature scanning alone is not as effective an anti-trojan solution as a set of layered defenses that protects not only against known trojan servers, but also against changes to auto-start locations in the Registry and other system files, as well as against unwanted applications listening on ports.

 

Disclaimers & Limitations

Now that the results of the three tests I ran have been laid out, I feel it important to call my readers' attention to several limitations on these tests and to issue some important disclaimers.

First, this series of tests cannot pretend to be comprehensive or exhaustive. It is one series of tests run on one system by one person against one particular Remote Administration Trojan (in several variations) with one group of applications. In no way can this series of tests give readers a complete picture of the capabilities or weaknesses of any of these applications. Even to attempt to do that, one would need to test a much broader range of trojans under more rigorous and controlled testing circumstances.

Second, in no way should the test results detailed above or the comments I have added after them be interpreted as any kind of endorsement of a particular application or even a recommendation for or against any particular application. Readers will notice that I have not provided a quick, easy summary table of all the results. This is quite deliberate. I wanted to resist the urge to look at these tests as some easily tallied scorecard. At best, the tests I conducted can merely help readers acquire greater insight into some of the capabilities and limitations of the applications tested, as well as some of the issues involved with dealing with the particular type of trojan used in these tests.

(In case anyone is wondering, the programs I have used and relied on regularly are The Cleaner, F-Prot for DOS, and Innoculate IT PE. Going into this test, I was much less familiar with the other four applications.)

Third, I am not a computer professional. I am not a programmer, a network administrator, or a systems analyst. I am also not an experienced hacker or cracker. ("Damnit, Jim, I'm just an English major!") Although I have made every attempt to make these tests as useful and reliable as I can, it is entirely possible that I have made errors in the design, execution, interpretation, and reporting of these tests.

All that having been said, I hope that readers find these tests to be insightful or helpful in some way. They certainly helped me gain a better appreciation for the complexities of trojan detection and removal, though they undoubtedly haven't made me an "expert" by any means.

Comments, questions, criticisms, and alerts to errors are, of course, always welcome. You can email me at:

          eburger68@myrealbox.com

 

Links

Anti-Trojan Applications:

The Cleaner 
http://www.moosoft.com/ 

Lockdown Pro
http://lockdowncorp.com/

Tauscan 
http://www.agnitum.com/ 

Trojan Defence Suite (TDS-3) 
http://tds.diamondcs.com.au/ 

Anti-Virus Applications

Frisk F-PROT Anti-Virus for DOS 
http://www.f-prot.com/download/ 

InoculateIT Personal Edition 
http://www.wilders.org/free_tools.htm 

Kaspersky Labs AntiViral Toolkit Pro 
http://www.avp.ch/
or http://www.kasperskylabs.com/

Compression Programs:

ASPack:
http://www.aspack.com/

ASProtect:
http://www.aspack.com/asprotect.htm

UPX:
http://upx.sourceforge.net/

WinRAR
http://www.rarlab.com/

 

Other Trojan Tests On the Web
Anti-Virus Software Trojan Testing
http://www.claymania.com/tests-trojan.html
 
Best Anti-Trojan Programs
http://www.techsupportalert.com/best_anti_trojans.htm
 
PC Flank - Personal Firewalls vs Leak Tests
http://www.pcflank.com/art21.htm
 
PC Flank - Trojan Tests (1)
http://www.pcflank.com/art17d.htm
 
PC Flank - Trojan Tests (2)
http://www.pcflank.com/art26a.htm
 
PestPatrol -Comparison
http://www.safersite.com/Whitepapers/NSTL_Report.pdf (PDF document)
or http://www.pestpatrol.com/Whitepapers/NSTL_Report.pdf (PDF document)
 
Rokop Security - Tests
http://www.rokop-security.de/main/search.php?query=&topic=5
 
Tauscan - Comparison
http://www.agnitum.com/products/tauscan/compare.html
 
The Cleaner - Comparison
http://www.moosoft.com/thecleaner/comparison.php
 
Trojaner-Info - Test Center
http://www.trojaner-info.de/testcenter.shtml

 

Revision History

Mar 20, 2002 -- Added Other Trojan Tests On the Web

Mar 15, 2002 -- Added notice about the followup Informal Trojan Detection Test # 2 page.

Jan 13, 2002 -- Initial release of this document.

Jan 13, 2002 -- Added a Links section for programs used in these tests.


Don't miss the followup to this set of trojan detection tests:

Informal Trojan Detection Test # 2 (Mar 15 '02)


Home [frames]        Home [no frames]

2000, 2001, 2002 Eric L. Howes (eburger68@myrealbox.com)