Newsfeed
Nachrichtenbote
Last weekend, the German based Chaos Computer Club (CCC) published details on a backdoor trojan they claimed was being used by German authorities, in violation of German law.
And now, several German states have admitted to using Backdoor:W32/R2D2.A, though they say the backdoor falls within what's allowed.
Here's some additional details about the backdoor itself.
The CCC's report included analysis of the backdoor's DLL and a kernel driver. The CCC's does not appear to have had access to the installer. (Which would have been locally installed on the suspect's computer.)
We do have the installer.
Here's a screenshot from our malware containment system:
The installer file is called "scuinst.exe". It was first seen on December 9th, 2010.
Our system automation didn't like what it saw and set scuinst.exe as a "block" type. That's what the "heuristic" category indicates, that our automation flagged the threat based on rules that our analysts have created.
Have any F-Secure customers been exposed to R2D2?
No. Our statistics show no customer encounters with this backdoor (in-the-wild, before CCC's announcement).
How did F-Secure get a copy of the installer then?
We (and numerous other antivirus vendors) received the file from virustotal.com.
Here's a screenshot from VirusTotal:
So lots of antivirus vendors have the installer?
Yes. VirusTotal is a cooperative effort, it shares with everyone that participates.
What is VirusTotal?
VirusTotal is a service that analyzes suspicious files with multiple antivirus engines and provides a list of detection names.
If there's no detection, does that mean there's no protection?
No. Many antivirus products (such as F-Secure Internet Security) have additional layers of protection beyond traditional signature detections. Just because a threat doesn't have a signature "detection" doesn't mean that it won't be "blocked" by another layer of defense.
In this case, R2D2's installer would have been blocked by our "cloud" layer even before traditional signature database detections had been published.
So if VirusTotal shares with everybody, wouldn't somebody trying to keep a backdoor secret be stupid to upload it there?
Yes. That's why professional malware authors use black market multi-scanners.
Then why would R2D2's authors give it away?
Perhaps that was the only way they knew of to "test" their backdoor's installer.
Or perhaps they didn't care that they'd be decreasing the lifespan and effectiveness of their backdoor.
Or perhaps it just demonstrates the German government's (and the company hired to write backdoor) lack of understanding as to what the antivirus industry does, and how we frequently work together to protect our customers.
We're all in this together.
On 11/10/11 At 12:56 PM
Weiterlesen...
And now, several German states have admitted to using Backdoor:W32/R2D2.A, though they say the backdoor falls within what's allowed.
Here's some additional details about the backdoor itself.
The CCC's report included analysis of the backdoor's DLL and a kernel driver. The CCC's does not appear to have had access to the installer. (Which would have been locally installed on the suspect's computer.)
We do have the installer.
Here's a screenshot from our malware containment system:
The installer file is called "scuinst.exe". It was first seen on December 9th, 2010.
Our system automation didn't like what it saw and set scuinst.exe as a "block" type. That's what the "heuristic" category indicates, that our automation flagged the threat based on rules that our analysts have created.
Have any F-Secure customers been exposed to R2D2?
No. Our statistics show no customer encounters with this backdoor (in-the-wild, before CCC's announcement).
How did F-Secure get a copy of the installer then?
We (and numerous other antivirus vendors) received the file from virustotal.com.
Here's a screenshot from VirusTotal:
So lots of antivirus vendors have the installer?
Yes. VirusTotal is a cooperative effort, it shares with everyone that participates.
What is VirusTotal?
VirusTotal is a service that analyzes suspicious files with multiple antivirus engines and provides a list of detection names.
If there's no detection, does that mean there's no protection?
No. Many antivirus products (such as F-Secure Internet Security) have additional layers of protection beyond traditional signature detections. Just because a threat doesn't have a signature "detection" doesn't mean that it won't be "blocked" by another layer of defense.
In this case, R2D2's installer would have been blocked by our "cloud" layer even before traditional signature database detections had been published.
So if VirusTotal shares with everybody, wouldn't somebody trying to keep a backdoor secret be stupid to upload it there?
Yes. That's why professional malware authors use black market multi-scanners.
Then why would R2D2's authors give it away?
Perhaps that was the only way they knew of to "test" their backdoor's installer.
Or perhaps they didn't care that they'd be decreasing the lifespan and effectiveness of their backdoor.
Or perhaps it just demonstrates the German government's (and the company hired to write backdoor) lack of understanding as to what the antivirus industry does, and how we frequently work together to protect our customers.
We're all in this together.
On 11/10/11 At 12:56 PM
Weiterlesen...