Trojan horse Downloader.Generic.ML

[Roger Wilco]

YES, the text file itself is and I'd expect a good checker to find and
eliminate it if it was in fact part of a multistepped

attack/penetration.

A "trojan" is a program - and a text file is not a program - therefore a
text file is not a trojan.

You profess to prefer logic, so there it is.

WRONG, deltree is part of a protected class...the OS itself.

WRONG.

Microsoft (the developers of both "deltree.exe" the OS in question) say
it is an application Just because something is bundled with an OS
doesn't make it a part of that OS.

The WHOLE
goal is protect the OS's integrity and intended functionality.

Don't go off on a tangent - the 'deltree.bat trojan' would be the trojan
even if it first renamed "deltree" to "nulllfile.exe" and contained the
line "nullfile /y c:\windows".

NO, that makes assumptions that a/the standard loading functions are being
used.

I don't understand what you mean here. Standard loading functions help
determine that some filetypes are henceforward executed when invoked -
that is, they are the reason these filetypes are termed executables. You
want "all" files to be scanned for "everything" because you might want
to feed them to an executable which translates and delivers an
executable image to virtual memory without even using standard loading
functions? A textfile, a script file, and "debug.exe" may fit the bill -
but the scriptfile would be the threat and not the textfile.

What if your on-access scanner relied solely on emulation to use
behavioral malware detection? Would you expect it to execute text files
in emulation?

Not relevant.

Invoking would result in execution of content without any further user
interaction, and you say it is irrelevent and that something that is
non-executable (invoking it reasults in nothing happening) is malware?

It is a threat or at least the tracks of a threat or at least a misdirection
from a threat.

I can't disagree with that (after all, it "is" something), I wouldn't
mind too much if an on-demand scan flagged it as damaged or corrupted
malware, but on-access scanners shouldn't waste any time on it.

The file didn't belong there. The file didn't get there by
any ordinary and intended process.

Probably correct.

AVG detected it in real time and not by
any user initiated scan.

So I assumed by your earlier posts. If you had indicated it was flagged
by an on-demand scan I would have thought it a misidentification rather
than strictly a false positive detection. Clearly it "is' something -
just not what it was identified as.

All indications are that there was NO FALSE
positive.

Quite the opposite actually.

All the other circumstances surrounding this seem to support
that.

No they don't, it seems that you don't know what a false positive
detection is. It is not enough that a file looks like the malware it is
identified as, it has to be capable of acting like that malware.
Otherwise, why bother with it.

The fact that the file doesn't fit some parochial definition of a
threat/executable isn't relevant.

The fact that a trojan is an executable program isn't relevent to the
fact that your AV flagged a non-executable as a trojan?

You are too deep in arcana and missing the point.

No, the point is that your "NULL" file is not a trojan - and "you" are
missing that point.

 

[Kevin Reiter]

Some WEP keys or most all WEP keys? By a competent hacker or only by the
NSA? What's better than WEP, not easily cracked, widely & robustly
implemented and easy to install/maintain? A 26 char hex key in minutes
seems like it'd take something with Blue in it's name.

WEP is WEP, whether it's 64 or 128-bit, and it's a known fact that you can
crack the key within minutes using free software (AirSnort, WEPCrack,
AirCrack, etc.)

Google search:
http://www.google.com/search?biw=1592&hl=en&q=wep+crack&btnG=Google+Search

For WiFi encryption, I'd say either WPA (which is becoming widely
available on most products now) or Radius/FreeRadius

Just perform a forensics analysis on the drive and load another drive.

Define in detail please or provide URL.

http://isis.poly.edu/courses/cs996-forensics-s2005/labs/hdd-forensics.pdf

That (loading a new drive, not the analysis) would've taken less time than
all the back and forth flames and insults within this thread that haven't
really solved anything.

If you can duplicate it, then document it and contact some companies and
pass on the info. Examine the c:\null file yourself to see what the
content is, and then make your own call on what exactly it is, based on
the content (if possible.)

And Belkin routers aren't the world's greatest,

Can you provide any reviews? What are its weaknesses? What's better in the
reasonably priced wireless router market?

http://secwatch.org/advisories/1006022 (from 2003)

Are there any known(previously exploited) hacks through a Belkin and ZA in
series?

Here's 2 for starters for ZA:

http://www.frsirt.com/english/advisories/2005/0597
http://www.frsirt.com/english/advisories/2005/0153

Seems that case as also does the possibility of an undetected internal
trojan on this machine or on the local LAN is the likely path/culprit.

Probably..

Was there anything human-readable in the NULL file?

(wasn't able to revisit this thread (read: no net access) for the past few
days, or I would've replied earlier)

 

[Triffid]

My admin password is 12 characters in length. Even if a somewhat
longer one is allowed, it seems with processing speeds what they are
now, a brute force approach might not take long to crack it.




I live way out in the boonies, about fourteen miles from the small
city of Harrisburg. Hard for me to imagine hackers with high gain
antennas roaming rural areas They say such antennas may work
up to four miles away.

But no doubt the general wireless security situation is the pits.
Most people I've talked to about it seem like they couldn't care less.

Art

http://home.epix.net/~artnpeg

I could save $50/month by using one of the three open wireless networks
available in my home office using a standard antenna, but I prefer to
pay for my own DSL so I can secure it.

One neighbor told me to fsck off when I pointed out that his DSL and
porno collection were publicly accessible, so I don't bother offering
advice anymore - but it's nice to know I have backups if my service goes
down

Triffid

 

[Ron Reaugh]

attack/penetration.

A "trojan" is a program - and a text file is not a program - therefore a
text file is not a trojan.

Wacko....a trojan is a pentration. It makes no difference if it's a wooden
horse or a wolf in sheeps clothing.

You profess to prefer logic, so there it is.

Did you plunk your magic plonker froggie?

 

[Ron Reaugh]

And just what criteria have been used to determine that it's "not
benign"? Please be very specific.

That was a quote. Ask Zvi.

No, it found smoke and shouted "Gun, Gun!". The smoke might just as
well have come from a barbecue.

Guess again.

 

[Ron Reaugh]

Some WEP keys or most all WEP keys? By a competent hacker or only by the
NSA? What's better than WEP, not easily cracked, widely & robustly
implemented and easy to install/maintain? A 26 char hex key in minutes
seems like it'd take something with Blue in it's name.

WEP is WEP, whether it's 64 or 128-bit, and it's a known fact that you can
crack the key within minutes using free software (AirSnort, WEPCrack,
AirCrack, etc.)

Google search:
http://www.google.com/search?biw=1592&hl=en&q=wep+crack&btnG=Google+Search

For WiFi encryption, I'd say either WPA (which is becoming widely
available on most products now) or Radius/FreeRadius

Just perform a forensics analysis on the drive and load another drive.

Define in detail please or provide URL.

http://isis.poly.edu/courses/cs996-forensics-s2005/labs/hdd-forensics.pdf

That (loading a new drive, not the analysis) would've taken less time than
all the back and forth flames and insults within this thread that haven't
really solved anything.

If you can duplicate it, then document it and contact some companies and
pass on the info. Examine the c:\null file yourself to see what the
content is, and then make your own call on what exactly it is, based on
the content (if possible.)

And Belkin routers aren't the world's greatest,

Can you provide any reviews? What are its weaknesses? What's better in the
reasonably priced wireless router market?

http://secwatch.org/advisories/1006022 (from 2003)

Are there any known(previously exploited) hacks through a Belkin and ZA in
series?

Here's 2 for starters for ZA:

http://www.frsirt.com/english/advisories/2005/0597
http://www.frsirt.com/english/advisories/2005/0153

Seems that case as also does the possibility of an undetected internal
trojan on this machine or on the local LAN is the likely path/culprit.

Probably..

Was there anything human-readable in the NULL file?

(wasn't able to revisit this thread (read: no net access) for the past few
days, or I would've replied earlier)

 

[Zvi Netiv]

I never of course claimed any of the above. What I claim and you seem to
support is that AVG warned me about something

As the French say, "c'est le ton qui fait la musique". What I support is that
AVG *alerted* you of *something*. Period. Fuzzier than your phrasing, and
insufficient to declare the event as a true positive..

nefarious going on ragarding the not benign file c:\null.

"Nefarious" is your subjective interpretation, and as to "not benign", I may
have contributed to this by telling what I found in the sample you sent. Yet
what you seem to not understand is that there are quite well established rules
as to what is a true, or false positive, in terminology used in these groups.
Like it or not, you'll have to adapt to if you want to be understood.

AVG did its job therefore to regard its
performance in this situation as a 'alse positive' is inaccurate.

I was hoping for some greater insight into what may have happened in my case
rather than having the incident brushed off as a false positive which
clearly it was NOT!

I wouldn't call a thread with 120 posts a brush off, and as for your
disappointment, blame yourself, as you didn't really provide much to chew on
(the NULL sample was good, of course, but that isn't enough). You failed to
produce the most important piece of information to resolve the case: The
circumstances under which the NULL file is created.

Regards, Zvi

 

[Zvi Netiv]

And just what criteria have been used to determine that it's "not
benign"? Please be very specific.

Ron is quoting me, in message <[email protected]>:

After explaining why the flagging of C:\null by AVG as Qdown.s is a false
positive, I added: "Lastly, the NULL file isn't benign from its content. But
it isn't the real thing either, ..."

On hindsight, I should have used "ambiguous" or "probably not innocent" rather
than not benign. What called for that observation is the cumulative weight of
the followings:

- The sample contains explicit reference to a file named "NULL".

- The sample contains reference to the Wininit procedure, in the same context.
This procedure is normally used in early Windows versions for completing pending
tasks during Windows startup, and couldn't execute when Windows was still
running, like software installation or removal.

- There is reference to a DLL named QDOWAS2 in the sample. The similarity of
the file name to Qdown, the Trojan that some scanners suggest it is, didn't seem
accidental to me.

No, it found smoke and shouted "Gun, Gun!". The smoke might just as
well have come from a barbecue.

I tend to agree with Ron, that the smoke is from a gun, but he failed to produce
evidence that will help exposing that gun. Without it, what we have is nothing
more than the evidence that there were WMD in Iraq on the eve of the second Gulf
War. What we need is info on what creates the NULL file and how, and the way to
obtain it is by replicating its creation, under controlled conditions. Instead,
Ron is wasting his time (and ours) in reiterating already exhausted evidence.

For the moment, this thread is leading nowhere, and going in circles.

Regards, Zvi

 

[Ron Reaugh]

Ron is quoting me, in message

After explaining why the flagging of C:\null by AVG as Qdown.s is a false
positive, I added: "Lastly, the NULL file isn't benign from its content. But
it isn't the real thing either, ..."

On hindsight, I should have used "ambiguous" or "probably not innocent" rather
than not benign. What called for that observation is the cumulative weight of
the followings:

- The sample contains explicit reference to a file named "NULL".

- The sample contains reference to the Wininit procedure, in the same context.
This procedure is normally used in early Windows versions for completing pending
tasks during Windows startup, and couldn't execute when Windows was still
running, like software installation or removal.

- There is reference to a DLL named QDOWAS2 in the sample. The similarity of
the file name to Qdown, the Trojan that some scanners suggest it is, didn't seem
accidental to me.


I tend to agree with Ron, that the smoke is from a gun, but he failed to produce
evidence that will help exposing that gun. Without it, what we have is nothing
more than the evidence that there were WMD in Iraq on the eve of the second Gulf
War. What we need is info on what creates the NULL file and how, and the way to
obtain it is by replicating its creation, under controlled conditions. Instead,
Ron is wasting his time (and ours) in reiterating already exhausted

evidence.


NO, AVG is my expert. AVG flagged it. AVG may have detected virus like
activity and/or now considers THAT file to be a nasty. AVG's report/flag IS
the evidence.
The is no evidence that AVG made an error. In fact all the evidence
suggests that AVG performed admirably.

 

[Zvi Netiv]

[...]

I tend to agree with Ron, that the smoke is from a gun, but he failed to produce
evidence that will help exposing that gun. Without it, what we have is nothing
more than the evidence that there were WMD in Iraq on the eve of the second Gulf
War. What we need is info on what creates the NULL file and how, and the way to
obtain it is by replicating its creation, under controlled conditions. Instead,
Ron is wasting his time (and ours) in reiterating already exhausted evidence.

NO, AVG is my expert. AVG flagged it. AVG may have detected virus like
activity and/or now considers THAT file to be a nasty. AVG's report/flag IS
the evidence.
The is no evidence that AVG made an error. In fact all the evidence
suggests that AVG performed admirably.

You certainly fooled me. I see now that I misunderstood your original post.
Quoting from:

"So where and how did this file C:\NULL that AVG claims is Trojan horse
Downloader.Generic.ML appear from? Was it really there since 5/5 but went
unnoticed ... OR did something penetrate all the firewalls and suddenly spawn
this file ... What likely happened here?"

Speaking of consistency and logic ... ;-)

Regards, Zvi

 

[Ron Reaugh]

[...]

I tend to agree with Ron, that the smoke is from a gun, but he failed to produce
evidence that will help exposing that gun. Without it, what we have is nothing
more than the evidence that there were WMD in Iraq on the eve of the second Gulf
War. What we need is info on what creates the NULL file and how, and the way to
obtain it is by replicating its creation, under controlled conditions. Instead,
Ron is wasting his time (and ours) in reiterating already exhausted

evidence.

NO, AVG is my expert. AVG flagged it. AVG may have detected virus like
activity and/or now considers THAT file to be a nasty. AVG's report/flag IS
the evidence.
The is no evidence that AVG made an error. In fact all the evidence
suggests that AVG performed admirably.

You certainly fooled me. I see now that I misunderstood your original post.
Quoting from:

"So where and how did this file C:\NULL that AVG claims is Trojan horse
Downloader.Generic.ML appear from? Was it really there since 5/5 but went
unnoticed ... OR did something penetrate all the firewalls and suddenly spawn
this file ... What likely happened here?"

Precisely, exactly. All that confirms my position from the beginning. All
your posts seem to confirm the fact that there's substantial evidence that
AVG reported at least the smoke of the smoking gun. Ergo the claim that
there was some completely false positive report is grossly misleading. The
evidence is that AVG reported a true positive.

 

[kurt wismer]

kurt wismer wrote:
[snip]

that's not the real issue though - the real issue is that with an output
feedback stream cipher (like rc4), if you encrypt 2 messages (packets)
with the same key (wep key + initialization vector) you can cancel out
the key by XORing the 2 encrypted messages together... to keep this
condition from happening you should change the wep key before the
initialization vector has a chance to go through every possible value -
but as has been shown not too long ago, the initialization vector can be
forced through all possible values in a matter of minutes with properly
crafted traffic...

apparently this is the naive approach - the real method involved in the
most recent demonstrations uses additional tricks to cut down the amount
of traffic that needs to be collected...

it's still all done with publicly available tools, though...

Gaining access to the router setup, I suppose.

not to the best of my knowledge, no...

Then disabling the
router's firewall. But then what? What if only connection sharing and
no print/file sharing is involved?

??? we're talking about cracking wep security and thereby rendering all
supposed 'encrypted' traffic easily viewed in plaintext form...

In my case, the hacker would find a
hardened OS with no open ports, no services running, and no known
vulnerabilities to exploit He might also have a sw firewall behind the
router to deal with.

if your wireless access point is using wep security then there's the
vulnerability right there... does it allow a cracker to gain access to
your system? perhaps not... does it allow a cracker to read all your
network traffic in an unprotected form? yes, yes it does...

not all security breaches result in system penetration...

 

[kurt wismer]

Wacko....a trojan is a pentration. It makes no difference if it's a wooden
horse or a wolf in sheeps clothing.

while it's true that there isn't exact consensus on the definition of
trojan, this isn't anywhere near where attempts at consensus were going...

"trojan" is a short form of "trojan horse program"... therefore roger is
correct to say that trojans are programs...

 

[kurt wismer]

Zvi Netiv wrote:
[snip]

What prevented Integrity Master, and checkers in the same category (e.g. CRC,
MD5, etc.), from becoming widely used in AV, are the following reasons:

1. Plain integrity ("plain" here refers to the processing of the entire file,
not to the method used) is useless for AV purposes as it's unable to
discriminate between legitimate changes and malware related changes.

as malware can make arbitrary changes, processing the entire file is
required... if you're only worried about parasitic infection then sure,
for some types of files you may only need to check a subset of the
entire file, but integrity checkers aren't *just* for detecting that
sort of thing...

Malware doesn't make arbitrary changes, full stop.

so data diddlers don't exist?

That's a fallacy that has
been nurtured by ignorance, fools (e.g. Lambdin, with his unsolicited CRCs), and
AVers that had an interest that users assimilate that nonsense.

what i said is technically correct... malware *can* make arbitrary
changes - there may not yet be a malware instance that changes bytes X,
Y, or Z in a file but there's nothing preventing one from being made...

there is malware the corrupts and/or destroys data - you can contest the
existence of such malware if you like, but you'd be tilting at windmills...

You are actually saying the same thing, but from a different angle: Users were
incapable to tell on base of the plain integrity change whether it was caused by
virus or was benign.

actually, i don't think they are the same thing... i don't believe users
are incapable of such, i believe they are unwilling...

Again, part of the above is propaganda, that was cultivated by interested
parties.

sophos used propaganda to justify being a less attractive option? that
really doesn't make a whole lot of business sense... you (the general
you) can't claim that action X can't be done satisfactorily so you won't
do it and expect potential customers to accept that when most other
vendors provide products that do perform action X...

The fact is that DOS objects, all types, were recovered through
integrity methods to their *exact* original state, to the byte, including the
time and date stamp.

you can't recover overwritten objects merely from an integrity
fingerprint...

[snip]

I hope that you don't point to me as I never made such claim. Which didn't
prevent professional bashers from pretending that I did.

i was not pointing at you... i was merely stating a preference... while
i can recall plenty of things you've said that i disagreed with, i can't
recall you directly saying anything that was blatantly snake-oil...

Let's extend the above now: Real-time AV optimized integrity checkers can
detect an infection and block execution of that object. When implemented
properly, real-time integrity monitoring is nearly infallible at detecting viral
changes in monitored files.

i'm afraid i'm not yet convinced of that...

 

[Zvi Netiv]

"Zvi Netiv" <support@replace_with_domain.com> wrote

We seem to have a severe case of [mis] comprehension here.

[sarcasm and noise snipped]

Precisely, exactly.

Exactly what? Were your questions answered? If yes, then would you mind
sharing that information with the rest of us?

Regards, Zvi

 

[Art]

if your wireless access point is using wep security then there's the
vulnerability right there... does it allow a cracker to gain access to
your system? perhaps not... does it allow a cracker to read all your
network traffic in an unprotected form? yes, yes it does...

not all security breaches result in system penetration...

I'm wondering if ISPs are starting to crack down on the use of
wireless. There seems to be a lot of "freeloading" going on, for one
thing, where wideband customers are allowing their friends nearby to
share their ISP service. Plus, crackers with high gain antennas may be
able to freeload wideband services from various nearby sources with
a bit of additional detective work.

And it seems to me that hackers could glean enough info to penetrate
many "typical user" unsecured systems.

Art

http://home.epix.net/~artnpeg

 

[Zvi Netiv]

so data diddlers don't exist?

Not really, and there are good reasons why not. The most famous data diddler,
is the now extinct Ripper boot virus. Even at the peak of the boot infectors
short era, Ripper was more of a conversation piece than a real threat (Simon
Widlake would mention it often). The reason for its rarity is that
destructiveness counters prevalence: The more destructive malware is, the
lesser are its chances to survive and spread.

what i said is technically correct... malware *can* make arbitrary
changes - there may not yet be a malware instance that changes bytes X,
Y, or Z in a file but there's nothing preventing one from being made...

there is malware the corrupts and/or destroys data - you can contest the
existence of such malware if you like, but you'd be tilting at windmills...

Only a fool will claim that there exist no malware that corrupts data, but a
producer must really have no sense to optimize an AV product for such rare
singularity.

[...]

actually, i don't think they are the same thing... i don't believe users
are incapable of such, i believe they are unwilling...

I am both willing and experienced, but unable to tell viral from benign if all
that I could use was Stiller's Integrity Master.

[...]

sophos used propaganda to justify being a less attractive option? that
really doesn't make a whole lot of business sense... you (the general
you) can't claim that action X can't be done satisfactorily so you won't
do it and expect potential customers to accept that when most other
vendors provide products that do perform action X...

Sophos decision to not disinfect was a business decision, and the "ideology"
attached to was propaganda. Fact that it worked!

you can't recover overwritten objects merely from an integrity
fingerprint...

You seem having forgotten the very basics of virus and antivirus technology.
Here is a brief reminder (state of the art ca '95) :

The definition of virus ( www.invircible.com/glossary.php ) is: "A virus is
parasitic computer code that replicates by producing functional copies of itself
into host files. The infected hosts inherit the replication ability of the
affecting virus, in addition to maintaining the original functionality of the
host program or file."

The last part requires that everything that was contained in the program in its
preinfected state, be still there, plus the necessary changes made by the virus
to incorporate its own code in the program flow. A direct deduction is that all
virus infections are theoretically reversible, by reverting the changes made to
the program, and since nothing from the original code was lost. This is, in a
nutshell, the entire theory on which virus disinfection and recovery is based
upon.

As to disinfection vs integrity restoration, everything disinfection can do,
restoration will do better, and much of what restoration will do, can't be done
by disinfection at all (like disinfection from highly polymorphic viruses, or
from new ones).

[...]

i'm afraid i'm not yet convinced of that...

I didn't expect you will, yet ...

Regards, Zvi

 

[Chris Salter]

I'm wondering if ISPs are starting to crack down on the use of
wireless.

How would they do that?

HINT: They cannot.

 

[Art]

How would they do that?

HINT: They cannot.

??? You're saying they can't drop customers using wireless? Why not?
It would be a somewhat difficult business decision to make, but I see
nothing to stop them if they decide to head in that direction.

Art

http://home.epix.net/~artnpeg

 

[Chris Salter]

??? You're saying they can't drop customers using wireless? Why not?
It would be a somewhat difficult business decision to make, but I see
nothing to stop them if they decide to head in that direction.

If you are talking about ISPs giving out broadband access via wireless
you are correct. The topic however was about people cracking wireless
access points, routers etc so I assumed you were talking about. (ie.
people on ADSL/DSL/T?/E? wired connections sharing out using an AP)
If so then yes I am saying its impossible to stop customers using wireless.