Hanno's blog - Entries tagged as virus

Two days ago, the german Chaos Computer Club (CCC) published a sample that's supposedly a variant of a german state spy software (the so-called "Bundestrojaner").

You might wonder if your anti virus software is protecting you. The webpage Virus Total lets you upload suspicious files, scans them with 43 different anti virus applications and presents you the result. Currently, 24 of 43 scanners detect the Bundestrojaner.

The CCC provides some further information where they state that the file they released is not the original one - they had several samples that differed and to avoid detection of the potential source, they changed the differing parts to something completely else. You might wonder if your anti virus app also detects the "original" Bundestrojaner and not just the modified file the CCC released.

We can easily check this if we change the modified pieces again to something else. A modified variant lowered the detection rate to 14 of 43 - amongst them the popular McAffee software. Now, it's pretty useless to only detect the exact published sample of a malware if we know that the original malware is different.

Application	Version	Sig date	Modified sample	Original CCC sample
AhnLab-V3	2011.10.08.01	2011-Okt-09	Trojan/Win32.R2d2	Trojan/Win32.R2d2
AntiVir	7.11.15.175	2011-Okt-09	TR/GruenFink.1	TR/GruenFink.1
Antiy-AVL	2.0.3.7	2011-Okt-09	-	-
Avast	6.0.1289.0	2011-Okt-09	Win32:Trojan-gen	Win32:Trojan-gen
AVG	10.0.0.1190	2011-Okt-07	-	-
BitDefender	7.2	2011-Okt-10	Backdoor.R2D2.A	Backdoor.R2D2.A
ByteHero	1.0.0.1	2011-Sep-23	-	-
CAT-QuickHeal	11.00	2011-Okt-07	-	-
ClamAV	0.97.0.0	2011-Okt-10	Trojan.BTroj-1	Trojan.BTroj-1
Commtouch	5.3.2.6	2011-Okt-10	-	W32/R2D2.A
Comodo	10407	2011-Okt-10	-	Backdoor.Win32.R2D2.A
DrWeb	5.0.2.03300	2011-Okt-10	-	-
Emsisoft	5.1.0.11	2011-Okt-10	Trojan.Win32.Bundestrojaner!A2	Backdoor.Win32.R2D2!IK
eSafe	7.0.17.0	2011-Okt-06	-	-
eTrust-Vet	36.1.8605	2011-Okt-07	-	-
F-Prot	4.6.2.117	2011-Okt-09	-	W32/R2D2.A
F-Secure	9.0.16440.0	2011-Okt-10	Backdoor:W32/R2D2.A	Backdoor:W32/R2D2.A
Fortinet	4.3.370.0	2011-Okt-10	-	W32/R2D2.A!tr.bdr
GData	22	2011-Okt-10	Backdoor.R2D2.A	Backdoor.R2D2.A
Ikarus	T3.1.1.107.0	2011-Okt-10	-	Backdoor.Win32.R2D2
Jiangmin	13.0.900	2011-Okt-09	-	-
K7AntiVirus	91155258	2011-Okt-08	-	-
Kaspersky	9.0.0.837	2011-Okt-09	Backdoor.Win32.R2D2.a	Backdoor.Win32.R2D2.a
McAfee	5.400.0.1158	2011-Okt-10	-	Artemis!930712416770
McAfee-GW-Edition	2010.1D	2011-Okt-09	-	Artemis!930712416770
Microsoft	17702	2011-Okt-10	Backdoor:Win32/R2d2.A	Backdoor:Win32/R2d2.A
NOD32	6529	2011-Okt-10	Win32/R2D2.A	Win32/R2D2.A
Norman	6.7.2011	2011-Okt-09	-	-
nProtect	2011-10-10.01	2011-Okt-10	-	-
Panda	10.0.3.5	2011-Okt-09	-	Suspiciousfile
PCTools	8.0.0.5	2011-Okt-10	Backdoor.R2D2	Backdoor.R2D2
Prevx	3.0	2011-Okt-10	-	-
Rising	23.78.06.02	2011-Okt-09	-	-
Sophos	4.70.0	2011-Okt-10	Troj/BckR2D2-A	Troj/BckR2D2-A
SUPERAntiSpyware	4.40.0.1006	2011-Okt-08	-	-
Symantec	20111.2.0.82	2011-Okt-10	Backdoor.R2D2	Backdoor.R2D2
TheHacker	6.7.0.1.318	2011-Okt-09	-	-
TrendMicro	9.500.0.1008	2011-Okt-09	-	-
TrendMicro-HouseCall	9.500.0.1008	2011-Okt-10	-	BKDR_R2D2.A
VBA32	3.12.16.4	2011-Okt-07	-	-
VIPRE	10718	2011-Okt-10	-	Trojan.Win32.Generic!BT
ViRobot	2011.10.10.4710	2011-Okt-10	-	-
VirusBuster	14.1.3.0	2011-Okt-09	-	-

Scans done Monday morning around 8:00.

Computer culture, English, Politics, Security | Comments (0) | Trackbacks (0)

Defined tags for this entry: antivirus, bundestrojaner, mcaffee, onlinedurchsuchung, virus

A while back, some people from the chaos computer club created a small tool called dingens (yeah, the name sucks) to disable windows services that open ports to the network.
The idea is simple, a common windows installation (esp. before sp2) opens various ports to the network by default, even if they aren't used for anything. This led to a couple of security threats in the past, many viruses used buggy services to attack remote computers.

Now, while it's probably in general not a good idea to use an operating system so poorly designed that it opens ports by default without needing them, if you're forced to use windows, dingens is probably a much better idea than most other »security solutions«. Why? Because it closes security holes instead of working around them and introducing new problems, like antivirus-apps or personal firewalls do.

Now, recently Antivir reported win32sec.exe (the dingens-tool) as
SecurityPrivacyRisk/Tool.KillService riskware

And Panda Antivirus says:
Hacktool/Servicekiller.A

Probably someone should tell the people at Panda about the different meanings of »Hacker«. Just because something was done by »Hackers« doesn't mean it's a hacktool. In fact, detecting dingens as something dangerous is trying to get rid of competitors in terms of security solutions. The only thing dingens endangers is the business model of so-called security companies.
After some people intervened, Antivir has removed the signature now. Panda still thinks it's a »hacktool«.

The complete idea of AV apps is wrong. The purpose of a virus is to use security holes to spread itself. AVs can only detect already known viruses. That also means the security hole is known and thus should be fixed, not worked around by some crappy software that can have security problems itself. The only valid usage of an AV I can think of is to scan email to reduce crap in your inbox. But, not to secure you (that should be done by a well-designed mail client), just to save you time from deleting the mails, the same thing spamfilters do. A command-line scanner like clamav (the only free one) is just fine for this. Everyone telling you that you need to install a »allround security solution« on your PC is lying.

English, Security | Comments (4) | Trackbacks (0)

Defined tags for this entry: antivir, clamav, dingens, panda, security, virus, windows

Kam gerade rein, alle Fehler im Original, vielleicht passend zu meinem kürzlichen Etymologie-Artikel:

Guten Tag,

Den Montag, der 17. Juli 2006, 3:17:44 PM, schrieben Sie:

>Ich denke dass du impulsiv in seiner Manier wieder giltst beruhige
>sich und sage obwohl dass irgendwelcher dass einfach grosser einfacher
>Anschuldigungen deine Eifersucht die Grenze nicht kennt!!!!!

Ich verstehe warum du sie alle noch schirmen Sie seinen alle nicht.
Ich habe schon soviel der Beweise gesammelt,
dass deine Bemerkungen horend ist gesenkt,
dass auch bei dir mit sie etwas auch zu denken war.
Jetzt ich die Unausgesprochenen schon vermeide schicke ich die Fotografie
ab wo sie gesaugt meinem Boss macht!

Also, eben was du mir darauf sagen wirst?

P.S. Niemandem es zeige auf.
Wenn ich von deinem Nachbarn erkenne dass auch du es im Wanderzirkus
umgewandelt hast, ich garantiere die Unannehmlichkeit dir.
In die nachsten Tage schreibe nicht, ich habe in das buro schon
ausgetrunken und ich denke, fur die Stadt zu fahren,
was ich und dir wunsche.

Achja, der Virus wird von den bei mir installierten AV-Progs gerade nicht erkannt (PANIK!) und scheint sich gut zu verbreiten, Antivirenprogrammierer mit begründetem Interesse dürfen sich melden. ClamAV, VirusTotal und Jotti sind bereits versorgt.

Computer culture, Life | Comments (4) | Trackbacks (0)

Defined tags for this entry: email, etymologie, sprache, virus

Search

About me

Twitter/identi.ca

Anzeigen

Events

Archives

Categories

Feeds

Tags

Creative Commons

Entries tagged as virus

Anti-virus applications and the Bundestrojaner

Monday, October 10. 2011, 20:05

Dangerous for their business model

Wednesday, August 9. 2006, 14:37

This Virus made my day

Tuesday, July 18. 2006, 18:28