Mikhail,

This might not be the most appropriate forum, but nevertheless:

Congrats with your Agnitum Forums!

regards,

davidovv

davidovv,

good to see you here, too!

Hey Bernd,

Likewise! Nice to see you around :)

gruss,

davidovv

Thanks everybody for joining us here!

Hope this forum will become a good place to spend your time and to find answers to your questions :)

Thanks Admin.

Since you referred to questions & answers, here's one for you :):

I know Agnitum is working on a solution for the "TerminateProcess" and "SuspendProcess" call. As you know, these calls are in use by approx. 16 known trojans by now, like f.e. Bionet (up from v3.12), Cyberspy, Buschtrommel (this one actually can do a lot more, like f.e. manipulating security apps not to scan .exe files - and thus no trojan servers - not going into the add-ons).

We both know, that a "TerminateProcess" call is vastly related to the kernell, and that's "MSoft property only".

Thus, any security related app should take counter measures by itself to handle this prob; the icon in the taskbar dissapearing, flashing or whatever will notice the app user the app has been killed/suspended or otherwise modified.

Could you inform us when these needed counter measures are scheduled to be implemented?

Perhaps you should move this post to a new thread; that's up to you af course.

regards,

davidovv

Hello Davidovv,

I am very glad to see you here!

Yes, we are working on this problem. Unfortunately there are no easy way to implement it.

We are thinking of writing kernel device driver that will hook all applications launches and would not let them execute until checked with Taumonitor. This would not allow any Trojan that use "TerminateProcess" to execute.

We also want to hook all "TerminateProcess" and similar suspicious function calls to block Trojans from shutting down Jammer or Tauscan. In this case Taumonitor will ask you "Do you want foo.exe to call TerminateProcess function to close Tauscan.exe application? [YES|NO] It will be similar to Jammer's AppWall technology that hooks "openport()" or "send()" or "receive()" functions in TDI level.

We plan to implement it in next version of Tauscan but programming in Windows core is very complicated and need very deep testing.

Hello Mikhail,

Thanks for the welcome!

Your reply is very good news indeed; not only will these measures make Tauscan a safer product, it will give it a firm head start in comparison with f.e. The Cleaner from Daniel Otis-Vigil, who will not address this problem as he pointed out in personal email correspondence.

It pleases me - and will please all Tauscan users - You are addressing this problem as it should be addressed.

I will be waiting eagerly for the Tauscan release with these components included, if only for a test drive :)

All the best,

paul wilders

Mikhail,

Consider me just a major nuisance, but:

I mentioned the capacities from the Buschtrommel trojan before; amongst others the ability to disable the scanning from .exe files (and thus trojan servers).

Since this has nothing to do with a"TerminateProcess" call, should I read your answer above as you are addressing that problem as well?

Thanks in advance,

paul

Paul,

Can you please explain what is "disable the scanning from .exe files"?

Thank you

Hello Mikhail,

We provided Buschtrommel a.o to Magnus Mischel (and Agnitum) and asked him to publish an analysis, screenshots included. Referring you to this analysis probably is the easiest to explain:

http://www.mischel.dhs.org/buschtrommel100analysis.asp

regards,

paul

Thanks Paul, it was very interesting.

There is only one good decision to protect against such Trojans - To write kernel device driver that will hook all applications launches and would not let them execute until checked with Taumonitor.

We plan to implement it in future versions of Tauscan but programming in Windows core is very complicated and need very deep testing.

Right now we recomend to anyone: check every unknown or suspicious file before you execute it. If you execute it, it can crach your system and terminate every process (unless you are using NT4 or 2000 with properly configured security settings).