10/19/2011
More Details Emerging about R2D2 Backdoor Trojan
First reported by the Chaos Computer Club (CCC), which claims to be the largest European Hacker club, this malware, they claim, is used by German police forces, and
And, no matter your opinion of remote PC monitoring and true spy software, there's something very troubling about this trojan according to CCC,
Both Kaspersky and F-Secure have already done their own analysis. Here's what they each have to say:
The various reports all say it's for monitoring communication from a suspect's computer when they're using several types of software:
So now, the question is are the antivirus software companies detecting the trojan?
Yes. Kaspersky and F-Secure alike say their software's heuristics (i.e. realtime protection) were capable of detecting the trojan even before they became aware of it and added specific threat definitions to their software.
F-secure says,
So, the bottom line, if you're running good antivirus software with realtime protection enabled, this trojan is unlikely to be a threat.
And, if you're not, why not?
Is it legal? It appears not, despite being state sponsored....can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs.
And, no matter your opinion of remote PC monitoring and true spy software, there's something very troubling about this trojan according to CCC,
Their analysis isn't just hot air. Further in their report, they go on to say,Significant design and implementation flaws make all of the functionality available to anyone on the internet.[Editor's Note: Emphasis mine.]
These are serious charges being leveled, so what does the antivirus software community's analysis reveal?The analysis also revealed serious security holes that the trojan is tearing into infected systems.
"The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.
"Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data.
"It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel.
Both Kaspersky and F-Secure have already done their own analysis. Here's what they each have to say:
F-Secure
In their "News from the Lab" blog on the R2D2 Backdoor Trojan, their report adds,And now, several German states have admitted to using Backdoor:W32/R2D2.A (a.k.a. "0zapftis"), though they say the backdoor falls within what's allowed.
Kaspersky
The Kaspersky blog details their own analysis which uncovered some other interesting details, including:So what's the point of this trojan? Good question....there are six components in total – each with a different purpose – all of which have been analyzed by us.
"Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows.
"Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report.
"The number of applications infected by the various components is 15 in total.
The various reports all say it's for monitoring communication from a suspect's computer when they're using several types of software:
- VOIP software (like Skype)
- web browsers
- chat software
| Software Monitored by R2D2 Backdoor Trojan | |
|---|---|
| Program | Purpose |
| explorer.exe | Internet Explorer web browser |
| firefox.exe | Mozilla Firefox web browser |
| icqlite.exe | Chat software |
| lowratevoip.exe | VOIP software |
| msnmsgr.exe | Chat software |
| opera.exe | Opera web browser |
| paltalk.exe | Video chat software |
| simplite-icq-aim.exe | Chat software |
| simpro.exe | Chat software |
| sipgatexlite.exe | VOIP software |
| skype.exe | VOIP software |
| skypepm.exe | VOIP software |
| voipbuster.exe | VOIP software |
| x-lite.exe | VOIP software |
| yahoomessenger.exe | Chat software |
So now, the question is are the antivirus software companies detecting the trojan?
Yes. Kaspersky and F-Secure alike say their software's heuristics (i.e. realtime protection) were capable of detecting the trojan even before they became aware of it and added specific threat definitions to their software.
F-secure says,
The 'heuristic' category indicates that our automation flagged the file based on rules that our analysts have created.And Kaspersky says,
All components are detected by Kaspersky as variants of the R2D2 trojan/rootkit. The dropper was previously heuristically detected and blocked by us as an invasive program.
So, the bottom line, if you're running good antivirus software with realtime protection enabled, this trojan is unlikely to be a threat.
And, if you're not, why not?
10/10/2011
Microsoft Security Essentials (Mistakenly) Labels Google Chrome a Virus
Imagine your web browser suddenly stops working and gets quarantined by your antivirus software.
Do you:
There have been multiple reports of this in large online news outlets including CNet and ZDNet about the false positive, those people affected by it, and MS's reply.
Microsoft's response to the ZDNet inquiry was pretty quick (even though about 3,000 people were affected), with the MS spokesperson saying via email,
Sure, given the relationship between Microsoft and Google, it could easily be called intentional or perhaps even a Freudian slip, but let's remember: antivirus software is complex stuff. No question.
And, at least in this case it was remedied relatively quickly. If needed, here's where you can manually update the definitions to your Microsoft Security Essentials.
Lastly, regardless of what antivirus software you're running, if you haven't done it in a while, now's a good time to take a minute and make sure you're running the latest version with the most recent definitions.
Do you:
- Panic?
- Cry?
- Scream?
- Some combination of the above?
There have been multiple reports of this in large online news outlets including CNet and ZDNet about the false positive, those people affected by it, and MS's reply.
Microsoft's response to the ZDNet inquiry was pretty quick (even though about 3,000 people were affected), with the MS spokesperson saying via email,
While no one is cheering for Microsoft for the goof, it's pretty clear this really was just a goof. It happens.On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed from customers PCs.
"We have already fixed the issue — we released an updated signature (1.113.672.0) at 9:57 am PDT — but approximately 3,000 customers were impacted.
Sure, given the relationship between Microsoft and Google, it could easily be called intentional or perhaps even a Freudian slip, but let's remember: antivirus software is complex stuff. No question.
And, at least in this case it was remedied relatively quickly. If needed, here's where you can manually update the definitions to your Microsoft Security Essentials.
Lastly, regardless of what antivirus software you're running, if you haven't done it in a while, now's a good time to take a minute and make sure you're running the latest version with the most recent definitions.
10/04/2011
2011 Security Research Grant/Gift Award Winners
Advanced virus detection techniques, Firefox plugins, apps that keep your private data safe on your smart phone, and Wi-Fi network hacking drones are just a start this year.
The list of the ten winning recipients from our 2011 Security Research Grant/Gift Fund this year is incredibly impressive.
Each of the projects is very, very good in its own right; so good that any of them could have won our top award.
As it turns out, our top award went to Kevin Roundy and his research advisor at the University of Wisconsin-Madison Computer Science Department, Dr. Barton P. Miller, for their project SD-Dynist which is helping figure out some of the cunning things the virus writers are up to and what they're doing to try to beat the best antivirus software and avoid detection.
Each of the winning projects we're helping fund offers something unique, but they all have one thing in common: making the Internet safer for us all.
Complete details about winning projects can be found here:
Thank you and congratulations to all the great projects of 2011--and the great minds behind them!