Search

About me

Johannes (Hanno) Böck
mail: hanno@hboeck.de
jabber: hanno@hboeck.de
gpg: BBB51E42
ssh: RSA, ECDSA


Hanno on Twitter
Hanno on identi.ca

Impressum

schokokeks.org



Atheist

Twitter/identi.ca

hanno: @vieuxrenard @annalist @GescheJoost Hä? Das ergibt keinen Sinn. "Vorratsdatenspeicherung nur für schwere Straftaten" geht ja schlecht

hanno: Man sollte mal vorm BGH das Internet als ganzes verklagen - ich bin sicher die aussichten auf ein Verbot sind nicht schlecht

hanno: @ivanristic @Kryptoblog is he really proposing using mac-then-encrypt? Isn't that the reason we got BEAST etc.? I commented on it.

hanno: Nintendo baut versehentlich Homoehe in Spiel ein http://t.co/6ShFeOp3ib

hanno: @bradplumer the calculation seems strange. He doesn't mention fuel and waste disposal costs for nuclear at all and numbers on solar outdated

Anzeigen

Events

22.05 - 25.05 - Linuxtag (4 Days)
30.05 - 02.06 - GPN13 (12 Days)
04.07 - 07.07 - PQCrypto (47 Days)
05.07 - 07.07 - SIGINT (48 Days)
31.07 - 04.08 - OHM13 (74 Days)
01.10 - 02.10 - Open Access Tage (136 Days)
My pages
Picture gallery

Archives

Categories



All categories

Feeds

Tags

Creative Commons

CC0
Unless noted otherwise, all content is CC Zero / public domain

Anti-virus applications and the Bundestrojaner

Monday, October 10. 2011, 20:05
BundestrojanerTwo days ago, the german Chaos Computer Club (CCC) published a sample that's supposedly a variant of a german state spy software (the so-called "Bundestrojaner").

You might wonder if your anti virus software is protecting you. The webpage Virus Total lets you upload suspicious files, scans them with 43 different anti virus applications and presents you the result. Currently, 24 of 43 scanners detect the Bundestrojaner.

The CCC provides some further information where they state that the file they released is not the original one - they had several samples that differed and to avoid detection of the potential source, they changed the differing parts to something completely else. You might wonder if your anti virus app also detects the "original" Bundestrojaner and not just the modified file the CCC released.

We can easily check this if we change the modified pieces again to something else. A modified variant lowered the detection rate to 14 of 43 - amongst them the popular McAffee software. Now, it's pretty useless to only detect the exact published sample of a malware if we know that the original malware is different.

ApplicationVersionSig dateModified sampleOriginal CCC sample
AhnLab-V32011.10.08.012011-Okt-09Trojan/Win32.R2d2Trojan/Win32.R2d2
AntiVir7.11.15.1752011-Okt-09TR/GruenFink.1TR/GruenFink.1
Antiy-AVL2.0.3.72011-Okt-09--
Avast6.0.1289.02011-Okt-09Win32:Trojan-genWin32:Trojan-gen
AVG10.0.0.11902011-Okt-07--
BitDefender7.22011-Okt-10Backdoor.R2D2.ABackdoor.R2D2.A
ByteHero1.0.0.12011-Sep-23--
CAT-QuickHeal11.002011-Okt-07--
ClamAV0.97.0.02011-Okt-10Trojan.BTroj-1Trojan.BTroj-1
Commtouch5.3.2.62011-Okt-10-W32/R2D2.A
Comodo104072011-Okt-10-Backdoor.Win32.R2D2.A
DrWeb5.0.2.033002011-Okt-10--
Emsisoft5.1.0.112011-Okt-10Trojan.Win32.Bundestrojaner!A2Backdoor.Win32.R2D2!IK
eSafe7.0.17.02011-Okt-06--
eTrust-Vet36.1.86052011-Okt-07--
F-Prot4.6.2.1172011-Okt-09-W32/R2D2.A
F-Secure9.0.16440.02011-Okt-10Backdoor:W32/R2D2.ABackdoor:W32/R2D2.A
Fortinet4.3.370.02011-Okt-10-W32/R2D2.A!tr.bdr
GData222011-Okt-10Backdoor.R2D2.ABackdoor.R2D2.A
IkarusT3.1.1.107.02011-Okt-10-Backdoor.Win32.R2D2
Jiangmin13.0.9002011-Okt-09--
K7AntiVirus911552582011-Okt-08--
Kaspersky9.0.0.8372011-Okt-09Backdoor.Win32.R2D2.aBackdoor.Win32.R2D2.a
McAfee5.400.0.11582011-Okt-10-Artemis!930712416770
McAfee-GW-Edition2010.1D2011-Okt-09-Artemis!930712416770
Microsoft177022011-Okt-10Backdoor:Win32/R2d2.ABackdoor:Win32/R2d2.A
NOD3265292011-Okt-10Win32/R2D2.AWin32/R2D2.A
Norman6.7.20112011-Okt-09--
nProtect2011-10-10.012011-Okt-10--
Panda10.0.3.52011-Okt-09-Suspiciousfile
PCTools8.0.0.52011-Okt-10Backdoor.R2D2Backdoor.R2D2
Prevx3.02011-Okt-10--
Rising23.78.06.022011-Okt-09--
Sophos4.70.02011-Okt-10Troj/BckR2D2-ATroj/BckR2D2-A
SUPERAntiSpyware4.40.0.10062011-Okt-08--
Symantec20111.2.0.822011-Okt-10Backdoor.R2D2Backdoor.R2D2
TheHacker6.7.0.1.3182011-Okt-09--
TrendMicro9.500.0.10082011-Okt-09--
TrendMicro-HouseCall9.500.0.10082011-Okt-10-BKDR_R2D2.A
VBA323.12.16.42011-Okt-07--
VIPRE107182011-Okt-10-Trojan.Win32.Generic!BT
ViRobot2011.10.10.47102011-Okt-10--
VirusBuster14.1.3.02011-Okt-09--

Scans done Monday morning around 8:00.
Computer culture, English, Politics, Security | Comments (0) | Trackbacks (0)
Defined tags for this entry: , , , ,
Related entries by tags:

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.