More About Scanning
Trojans
Virus / Trojan Definition
For a remote access Trojan to qualify as a real virus,
it would need to self replicate. This means that the Trojan
would need to have the ability to infect your computer and
then propagate itself to other computer systems or disks.
Standard remote access Trojans do not self replicate or
infect other computer files. They are stand alone programs
that allow someone else to remotely control your computer.
Remote access Trojans are not easily detected by virus scanners.
Unlike a self replicating virus, a Trojan file can easily
be encrypted by any end user to completely avoid detection
by Trojan and virus scanners.
Encryption - The Difference
When a real computer virus is encrypted or packed by
an end user, it becomes what is known as a virus dropper.
The dropper file contains the pure virus code, but it has
been encrypted and is no longer detected by the virus scanner.
When the scanner examines the file, it cannot find the signature
that is programmed to find the virus. When dealing with
viruses, once the file is executed, it will infect other
files on your computer with the raw UNENCRYPTED virus code.
When this is done, the scanner will now be able to detect
the virus. Therefore, when a virus is encrypted, the encryption
will only work for the single encrypted dropper file. Once
the virus infects the system, it is detected by the scanner.
Trojans are not viruses and they do not infect other computer
files. Therefore, when a Trojan is encrypted it will stay
encrypted and not be detected by the scanner unless a new
signature is added for the encrypted file. Many of these
packed files will never be detected by a scanner. If the
Trojan server has been spread around the net to enough people,
it will be found and added into a signature update. On the
other hand, if the hacker only uses his encrypted server
on a few victims, it may never be found or detected by normal
signature scanning. However, we WILL still detect it with
the layers of protection built into our program.
Encrypting And Packing Files
Encrypting or packing files is not as hard as it may seem.
There are many resources on the net that will do the job
for any novice hacker, that has not yet learned how to write
his own encryption engine.
Such resources would include the more popular programs such
as ASPACK, PKLITE and UPX. Hackers that do not program their
own encryption engines will use these types of packing or
compression programs. In fact, most hackers have collections
containing hundreds of different packer programs and utilities.
All the hacker needs to do is pull out his favorite Trojan
server and start packing it with an assortment of different
packers, until he finds one that worked to avoid the detection
of the Trojan server. Many times this can be done with only
one popular packer such as UPX and simply choosing different
options, such as compression ratio.
More accomplished hackers write their own Trojan or encryption
engines. In these cases, if a scanner ever starts to detect
their Trojan server, they simply change the code and auto
update all of their victims with the new undetectable versions.
After this, a signature based scanning engine once again,
will not be able to detect these files.
Doing Your Own Testing
To see how easy it is for Trojans to avoid detection, you
can perform your own test as outlined below:
1. Download a remote access Trojan from the net.
You do not have to run the file, just download it and then
scan it with your favorite anti virus scanner. Once you
have a .EXE or .DLL file that is detected by the scanner,
you have what you need for the test.
2. Copy the detected .EXE or .DLL file to a new folder.
3. Download a packer program. UPX
or ASPACK
should work fine for this test.
4. Pack the detected Trojan file using one of the packer
programs.
5. Scan the new packed Trojan file again with your anti
virus scanner.
Now you can see how easy it is for a hacker to get past
a signature scanner.
This is why Hacker Eliminator does not stop with scanning.
We add TWO additional layers of protection that will ALWAYS
detect these Trojans, if they are ever activated on your
system while all of our default detection modes are turned
on.
Back to our guarantee
page.
|
