Trojan vs Adware

A

analeen

New Member
Thread author
Jan 17, 2016
11
9
7
42
UK
I am confused when it comes to Trojan as it also can also be considered as Adware as the sample which I have attached its report.
Is there any clear difference between them ? I can see that even the lead vendors don't have a clear line between them such as Symantec , Microsoft and ClamAV.
 
  • Like
Reactions: Der.Reisende and Deleted member 2913
Adware: "Software that automatically displays or downloads advertising material (often unwanted) when a user is online."

Trojan: "Trojan horse, or Trojan, is any malicious computer program which is used to hack into a computer by misleading users of its true intent."

Adware could be considered a Trojan, but not all Trojans are Adware.
 
  • Like
Reactions: Der.Reisende, LabZero, Jack and 5 others
Have you analyzed the sample on the online analysis service?
If yes, you should fill in the relevant field to be able to interpret the report. However, it is possible that a trojan drops an adware. Indeed, the trojan name is derived from the Trojan horse of ancient Greece that contained the soldiers, hidden by the deception.
 
  • Like
Reactions: Der.Reisende, Jack, analeen and 4 others
Klipsh said:
Have you analyzed the sample on the online analysis service?
Click to expand...
Sorry that I didn't include it at the beginning, this is the analysis link on malwr.com
https://malwr.com/analysis/Mzk4MjI0ZmU0ZDcwNDBmNWFlZDcyZjg5MmE5NWI0ODQ/

Although the actions that have been carried out looks malicious when reading the analysis report, other vendors such as CalmAV suggested that it is an adware and some of them describe it as follows: GameVance offers "free" games from its website in exchange for the display of targeted pop-up and pop-under advertising based on information about users' online behavior!
 
  • Like
Reactions: Der.Reisende
From the analysis it seems to be an adware that drops a fake uninstaller file called uninstaller.exe.
The sample steals information from the user folder of the browser and actually create a modified copy of itself by changing the real functions of the adware.
This indicates why some AV flag it as a trojan.
It performs many HTTP requests, which are typical of adware but between these it could be a server to collect user data.
 
  • Like
Reactions: Der.Reisende, analeen, harlan4096 and 2 others
don't rely on the classifications you see on virus total. they are prone to error.
 
Klipsh said:
From the analysis it seems to be an adware that drops a fake uninstaller file called uninstaller.exe.
The sample steals information from the user folder of the browser and actually create a modified copy of itself by changing the real functions of the adware.
This indicates why some AV flag it as a trojan.
It performs many HTTP requests, which are typical of adware but between these it could be a server to collect user data.
Click to expand...
Actually when I analysed the sample on my machine using cuckoo it starts server listening on port 0 , which I think means any available port. But how did yo know that the fake binary is uninstaller ?
 
Last edited:
  • Like
Reactions: Der.Reisende
analeen said:
Actually when I analysed the sample on my machine using cuckoo it starts listening on port 0 , which I think means any available port. But how did yo know that the fake binary is uninstaller ?
Click to expand...
From Malwr report:

Creates a slightly modified copy of itself:

"process: None
signs: [{u'type': u'dropped file', u'value': {u'yara': [], u'sha1': u'04fcd95766d5edae7942a8746126bf47a8ab6aa0', u'name': u'Uninstaller.exe', u'sha512': u'aa67c8c9860ce57970f182a6fe9a519c4003df54ffb1e56b30484b546ae4c94ed2bf7f8b4a54f6dbc2ffa7d1772a0286aa1c8d7d3a1c2e872aef59a92b5a771e', u'crc32': u'B8427AD1', u'path': u'/home/cuckoo/cuckoo/run/storage/analyses/34665/files/6278605923/Uninstaller.exe', u'ssdeep': u'6144:GckN44ogm5Iibc/POOOOtOOOOOOOOOOOOOOOOOOOO+OOOOOOOOOOOOOOOOOOOOmN:Gm54nOOOOtOOOOOOOOOOOOOOOOOOOO+s', u'sha256': u'f29b7324e6c1a7a282ff1084eee8bc9e47cac18e1ce826bc157734789f2f6f24', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'md5': u'd9e57b47f2334f118eaafcb19ce7a799', u'size': 280576}}]"
 
  • Like
Reactions: Der.Reisende, harlan4096 and analeen
Klipsh said:
From Malwr report:

Creates a slightly modified copy of itself:

"process: None
signs: [{u'type': u'dropped file', u'value': {u'yara': [], u'sha1': u'04fcd95766d5edae7942a8746126bf47a8ab6aa0', u'name': u'Uninstaller.exe', u'sha512': u'aa67c8c9860ce57970f182a6fe9a519c4003df54ffb1e56b30484b546ae4c94ed2bf7f8b4a54f6dbc2ffa7d1772a0286aa1c8d7d3a1c2e872aef59a92b5a771e', u'crc32': u'B8427AD1', u'path': u'/home/cuckoo/cuckoo/run/storage/analyses/34665/files/6278605923/Uninstaller.exe', u'ssdeep': u'6144:GckN44ogm5Iibc/POOOOtOOOOOOOOOOOOOOOOOOOO+OOOOOOOOOOOOOOOOOOOOmN:Gm54nOOOOtOOOOOOOOOOOOOOOOOOOO+s', u'sha256': u'f29b7324e6c1a7a282ff1084eee8bc9e47cac18e1ce826bc157734789f2f6f24', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'md5': u'd9e57b47f2334f118eaafcb19ce7a799', u'size': 280576}}]"
Click to expand...
Cannot thank you enough, really appreciate your help.
 
  • Like
Reactions: askmark, Der.Reisende and LabZero
You must log in or register to reply here.

You may also like...