[Closed] TROJAN in Trainer?
TROJAN in Trainer? Posted on: 01/10/2015 5:44pm
Quote Post

can anyone explain why my antivirus detects a trojan in the trainer?

RE: TROJAN in Trainer? Posted on: 01/10/2015 8:26pm
Quote Post
TIM the Enchanter
Level: 1
ADR Info

The trainer does 2 things that trojans would typically do.

1) We're modifying stuff in memory (hacking your games while they are running.)
2) We're talking back and forth with a web source.  That is, the trainer talks to KongHack to log you in, get hacks, etc.

tl;dr: False Positive.





Everything's coming up KongHack!

"When you know nothing matters, the universe is yours" ~Rick Sanchez

RE: TROJAN in Trainer? Posted on: 01/10/2015 8:32pm
Quote Post
Never let a computer tell me shit.

it also has

  • a tcp callback for the url protocol handler and inter-instance communictation
  • registry editing for the url protocol



I use this AoB tool to make all the AoBs I post. Try the online version if you dont feel like downloading it.
"Obviously, windows are central to Windows. They are so important that they named the operating system after them. But what is a window?"

RE: TROJAN in Trainer? Posted on: 01/10/2015 8:57pm
Quote Post
TIM the Enchanter
Level: 1
ADR Info

Yeah, I ran out of time.  The house is insane today.  Kids are sick still, one's screaming constantly... it's nuts.





Everything's coming up KongHack!

"When you know nothing matters, the universe is yours" ~Rick Sanchez

RE: TROJAN in Trainer? Posted on: 01/17/2015 12:12am
Quote Post
BirdPerson

Fuck off and die

RE: TROJAN in Trainer? Posted on: 02/11/2015 7:18pm
Quote Post

lets say its using network to login and to download cheats.
now why is it trying to connect to 2 different ip adresses?
also why is it trying to listen on a port? (like a trojan, waiting for incomming connections from the one who is controlling it)

RE: TROJAN in Trainer? Posted on: 02/11/2015 7:46pm
Quote Post
TIM the Enchanter
Level: 1
ADR Info
simidef Posted on: 02/11/2015 2:18pm

lets say its using network to login and to download cheats.
now why is it trying to connect to 2 different ip adresses?
also why is it trying to listen on a port? (like a trojan, waiting for incomming connections from the one who is controlling it)


We use a CDN (Cloudflare), so connections to konghack often occur on multiple IPs.
It doesn't "listen" for anything.  It polls our server to keep your server side session alive.

Let's say you close your browser.  How does any site you're logged into know that you're no longer logged in?  They don't.  They rely on session garbage collection to clean up old sessions that haven't been touched in X minutes.  For us, as with most servers, that default is 24 minutes.  So, if you logged in via the KHUT and we didn't poll, after 24 minutes, you wouldn't be able to use the trainer anymore without closing it and logging back in.

When the trainer (and our site itself) polls the server, it simply passes your session id via cookie (standard session handling) and sets a simple timestamp in the session record, which updates the "modified time" of the session, preventing natural garbage collection from purging your session and logging you out.

Damn that's a lot of explination for some fuckass that thinks he knows how shit works. :P





Everything's coming up KongHack!

"When you know nothing matters, the universe is yours" ~Rick Sanchez

RE: TROJAN in Trainer? Posted on: 02/11/2015 8:29pm
Quote Post
Never let a computer tell me shit.

fair enough.

why is it trying to listen on a port?
do you know what a mutex is? 
In computer programming, a mutex is a program object that allows multiple program threads to share the same resource, such as file access, but not simultaneously. When a program is started, a mutex is created with a unique name. 

In the case of the trainer, we use a mutex to ensure that only one instance of the trainer runs at one time. however, it might be the case that the user clicks on "launch trainer" link on the website while the trainer is already running. In this case the trainer will start and try to lock the mutex, but it can't, because the other trainer instance has already locked it. So all the new instance can do is exit.

However, because the "launch trainer" links pass game and cheat information to the trainer (so it knows what cheats to load), it is important to pass that information to the current trainer instance. In order to do that, we use a tcp connection.

why is it trying to connect to 2 different ip adresses?
This is a bit of a tricky one maybe, since you dont specify when it talks to two ip addresses, but I'll walk you through the "two" I know of.
You might notice that you download the trainer from a special subdomain.For security purposes, If you try to download the trainer through another site, the installation should fail. Because our primary domain is hosted "in the cloud", the primary domain data is served from whatever datacenter is closest to the user. This means that if we hosted the trainer download on our primary domain, installation will always fail. 
However, all game and cheat related data comes from the primary domain, and hence is potentially served by the cloud.



 




I use this AoB tool to make all the AoBs I post. Try the online version if you dont feel like downloading it.
"Obviously, windows are central to Windows. They are so important that they named the operating system after them. But what is a window?"

RE: TROJAN in Trainer? Posted on: 02/11/2015 9:13pm
Quote Post

sorry for being so suspicious, it was just strange that a program like this is making those connections, but its understandable as you explained.

RE: TROJAN in Trainer? Posted on: 02/27/2015 9:33pm
Quote Post

I believe most trainers in this site are safe especially KHUT. However, some antivirus programs still give false detection on some trainers and it is completely normal.

@MuhammadAlle To answer your question, in order to explain why sometimes antivirus programs "falsely" detects trojans in trainers, you have to know what trojan basically does and what a trainer does.

Trojan, it is usually malware program containing or consisting of array of codes that're defined to carry out actions on the memory to cause the transport or loss of data directly, which also access to different part of computer and memory unauthorized, like a "backdoor" . Another key feature of Trojan horse is that it can not replicate itself. Torjans are malicious programs that are disguised to be unsuspicious, excuting actions in ways that look like normal. Most of the torjans usually have names that catch user's attention/interest (and those keywords are usually irrelevant to the actual usage of the program), such as startnow.exe or click.exe, in order to induce people to download or start the trojan.

On the other hand, what does a trainer or hack do? Change of memory, sometime even in the non-executable and non-writable part. Access to and scan in large part of memory. Some file names and registry ids even contain keywords that are usually appearing in the trojans case. If you look into it deeply, they are quite similar in many point of views.

Many antivirus program's heuristic analysis / hyper scan procedures are derived from the characteristics of trojans. THEREFORE, some trainers or hacks always falsely defined as trojans because of the similarities between them. Some less complete / outdated antivirus program database therefore may leads to the false detection of trojans for some programs more often.

For example, the WL-090e2df495b51e173943ec4bdeb82a2d-0-TR/Cridex.EB.16, WL-4572fd2833abd750e70c735bdb33fdfd-0-TR/Cridex.EB.23, WL-3edf002334d86b974940c7f1cd950ad4-0-TR/Rogue.KD.637567.7 etc, were famous trojans once and their false detection rate 're over 3.43% in year 2012 in the avira and malwarebytes international viruses database. Imagine, there are tens of thousands of new trojans and viruses each year and those few types' false detection case covered over 3% of total. They were famous not because of their destruction level but their disguising power. Many programs were falsely detected as those trojans when those trojans alias firstly come out, such as bittorrent clients, downloading softwares, copy assist programs, renaming programs, game trainers, compression programs, game hack, game tool, etcetc you name it. Even the most famous and successful antivirus programs did make those mistake for over 6 weeks.

Viral technological advances every single day however global antivirus analysis tech is almost the same as 17 months ago. It's not hard to understand that, the antivirus programs will continue to make mistakes on new viruses and new trojans detection.

I may not know much on hacking and computing but I learn and memorize a lot of technological facts, history and information thanks to my fulltime work.

Antivirus programs having false detection is inevitable and even becoming a tendency. This global problem can not be solved easily unless trojans and viruses slow down advancing exponentially, which is impossible. As a normal person and employee, I would just say what I say to my customers and clients everyday ; Use multiple antivirus programs, in order to prevent false detection caused by the fact that that particular company isn't focusing on dealing with some particular viruses types. For example, avira spends most resources on worms and trojans aspect however its malware and spywares database is not as good as that of Malwarebytes. Use 3-5 good international antivirus programs to scan, and send back the results to their department they should contact you in 3 working days. Listen to their advice and Compare the results then you should be able to deduce if the trainer/program is actually having viruses/trojans or it is simply a false detection and it is safe to use.