More Details Emerging about R2D2 Backdoor Trojan

First reported by the Chaos Computer Club (CCC), which claims to be the largest European Hacker club, this malware, they claim, is used by German police forces, and
...can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs.
Is it legal? It appears not, despite being state sponsored.

And, no matter your opinion of remote PC monitoring and true spy software, there's something very troubling about this trojan according to CCC,
Significant design and implementation flaws make all of the functionality available to anyone on the internet. [Editor's Note: Emphasis mine.]
Their analysis isn't just hot air. Further in their report, they go on to say,
The analysis also revealed serious security holes that the trojan is tearing into infected systems.

"The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.

"Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data.

"It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel.
These are serious charges being leveled, so what does the antivirus software community's analysis reveal?

Both Kaspersky and F-Secure have already done their own analysis. Here's what they each have to say:


In their "News from the Lab" blog on the R2D2 Backdoor Trojan, their report adds,
And now, several German states have admitted to using Backdoor:W32/R2D2.A (a.k.a. "0zapftis"), though they say the backdoor falls within what's allowed.


The Kaspersky blog details their own analysis which uncovered some other interesting details, including:
...there are six components in total – each with a different purpose – all of which have been analyzed by us.

"Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows.

"Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report.

"The number of applications infected by the various components is 15 in total.
So what's the point of this trojan? Good question.

The various reports all say it's for monitoring communication from a suspect's computer when they're using several types of software:
  1. VOIP software (like Skype)
  2. web browsers
  3. chat software
Here's the complete list uncovered by Kaspersky antivirus in their analysis:
Software Monitored by R2D2 Backdoor Trojan
Program Purpose
explorer.exe Internet Explorer web browser
firefox.exe Mozilla Firefox web browser
icqlite.exe Chat software
lowratevoip.exe VOIP software
msnmsgr.exe Chat software
opera.exe Opera web browser
paltalk.exe Video chat software
simplite-icq-aim.exe Chat software
simpro.exe Chat software
sipgatexlite.exe VOIP software
skype.exe VOIP software
skypepm.exe VOIP software
voipbuster.exe VOIP software
x-lite.exe VOIP software
yahoomessenger.exe Chat software

So now, the question is are the antivirus software companies detecting the trojan?

Yes. Kaspersky and F-Secure alike say their software's heuristics (i.e. realtime protection) were capable of detecting the trojan even before they became aware of it and added specific threat definitions to their software.

F-secure says, The 'heuristic' category indicates that our automation flagged the file based on rules that our analysts have created. And Kaspersky says, All components are detected by Kaspersky as variants of the R2D2 trojan/rootkit. The dropper was previously heuristically detected and blocked by us as an invasive program.

So, the bottom line, if you're running good antivirus software with realtime protection enabled, this trojan is unlikely to be a threat.

And, if you're not, why not?


Firefox 6 Released. Does it Matter?

With Mozilla Firefox now releasing its third full release in its new "rapid release" schedule, there definitely reason to upgrade for most people.

The most noticeable improvement is in the address bar, which now puts emphasis on the domain name to help thwart phishing attacks.

As you can (hopefully) see the emphasis, while subtle, is definitely there.

I've found as I got used to using it, the emphasis was easier to spot.

Personally, I love the feature; I just wish it were even more prominent.

Opera, in their version 11 took a different approach, removing everything but the domain name itself from the address bar. Thus:




While that approach is probably good to some extent, particularly for new users, it's also frustrating because it requires you to click on the address bar to reveal the full website address.

Luckily, you can easily revert to displaying the full website address in Opera through by typing opera:config into the Opera address bar.

Whatever the case, that web browsers are trying through a host of technological means to make it harder for the malware writers to take over peoples' PCs is a good thing.

Bottom line: yes, it's worth upgrading.

Regardless of what antivirus software you're running, keeping your web browser updated is a smart thing to do. After all, most virus and malware attacks do come in via the web, so why not give yourself every technological advantage?


Best Web Browser for Blocking Malicious Content?


Fans of Internet Explorer, rejoice!

Well, sort of.

NSS Labs, one of the top independent security research labs in the world, just put each of the top web browsers for Microsoft Windows PCs on their test bench to see how they fared against socially engineered malware.

Long lambasted for being insecure and weak in its ability to thwart malware, Internet Explorer actually landed at the front of the pack in this particular test which included:

Their report, "Web Browser Security, Socially Engineered Malware Protection," looked specifically at social engineering malware (SEM) attacks, which

...remains the most common security threat facing Internet users today.

"Recent studies show that users are four times more likely to be tricked into downloading malware than be compromised by an exploit.

How much better did IE fare? At the risk of editorializing, it was an absolute landslide. (Politicians dream of this kind of lopsided victory.)

Effectiveness of Top Web Browsers at Blocking Social Engineering Malware Attacks
Web Browser Malware Blocking Efficacy
Microsoft Internet Explorer 9 99.2%*
Google Chrome 12 13.2%
Apple Safari 5 7.6%
Mozilla Firefox 4 7.6%
Opera 11 6.1%
* With both URL and Application Reputation enabled during testing, which provided 96% and 3.2% of protection respectively.

Now for the one caveat: this only measured the efficacy of blocking social engineering malware and didn't test any of the browsers abilities (or likelihood) of being attacked through a security exploit.

What does that mean?

For starters, it means stopping viruses and other malware isn't as easy as running one web browser vs. another.

While Internet Explorer 9 might do very well at blocking social engineering malware, other browsers have historically done significantly better at stopping attacks that come through security exploits.

So, what's the best, most secure web browser?

There's no simple answer. I'd really encourage you to take a close look at the NSS Web Browser Security Report.

Another thing not covered is the effectiveness of antivirus software at blocking these types of threats.

In our tests, we consistently saw the software we tested with the best malicious website filtering giving added protection above and beyond what the web browsers themselves provided.


More web browser security issues. Opera this time...

Just when you thought it was safe to go back in the water after the last round of security alerts and news on Internet Explorer trojan vulnerabilities, Opera announced they have some bugs of their own to take care of, too, in versions prior to 9.63 of the web browser.

To date Opera has had one of the finest track records of computer security for any web browser. It also has a great reputation for reliable rendering and for overall speed and stability, but as with all software at any price, there are bugs.

In this particular case, there are several Opera security vulnerabilities. They range in severity from "Highly severe" to "Extremely severe" and cover the following issues:

Vulnerability   Rating   Details
Manipulating text input contents can allow execution of arbitrary code, as reported by Red XIII. Extremely Severe Text input manipulation, ID 920
HTML parsing flaw can cause Opera to execute arbitrary code, as reported by Alexios Fakos. Extremely Severe HTML parsing, ID 921
Long hostnames in file: URLs can cause execution of arbitrary code, as reported by Vitaly McLain. Highly Severe Long hostnames in file, ID 922
Script injection in feed preview can reveal contents of unrelated news feeds, as reported by David Bloom. Highly Severe News feed script injection, ID 923
Built-in XSLT templates can allow cross-site scripting, as reported by Robert Swiecki of the Google Security Team. Highly Severe Cross-site scripting (XSS), ID 924
Fixed an issue that could reveal random data, as reported by Matthew of Hispasec Sistemas. (Details to follow "at a later date".) N/A N/A

We salute Opera for their speedy response and (nearly) full disclosure, and lest it go unsaid, take a second to be certain you're up-to-date on your antivirus firewall software

Here are Opera's complete details of Opera 9.63 fixes.