Entries tagged as mcaffee
Monday, October 10. 2011
Anti-virus applications and the Bundestrojaner
Two days ago, the german Chaos Computer Club (CCC) published a sample that's supposedly a variant of a german state spy software (the so-called "Bundestrojaner").You might wonder if your anti virus software is protecting you. The webpage Virus Total lets you upload suspicious files, scans them with 43 different anti virus applications and presents you the result. Currently, 24 of 43 scanners detect the Bundestrojaner.
The CCC provides some further information where they state that the file they released is not the original one - they had several samples that differed and to avoid detection of the potential source, they changed the differing parts to something completely else. You might wonder if your anti virus app also detects the "original" Bundestrojaner and not just the modified file the CCC released.
We can easily check this if we change the modified pieces again to something else. A modified variant lowered the detection rate to 14 of 43 - amongst them the popular McAffee software. Now, it's pretty useless to only detect the exact published sample of a malware if we know that the original malware is different.
| Application | Version | Sig date | Modified sample | Original CCC sample |
|---|---|---|---|---|
| AhnLab-V3 | 2011.10.08.01 | 2011-Okt-09 | Trojan/Win32.R2d2 | Trojan/Win32.R2d2 |
| AntiVir | 7.11.15.175 | 2011-Okt-09 | TR/GruenFink.1 | TR/GruenFink.1 |
| Antiy-AVL | 2.0.3.7 | 2011-Okt-09 | - | - |
| Avast | 6.0.1289.0 | 2011-Okt-09 | Win32:Trojan-gen | Win32:Trojan-gen |
| AVG | 10.0.0.1190 | 2011-Okt-07 | - | - |
| BitDefender | 7.2 | 2011-Okt-10 | Backdoor.R2D2.A | Backdoor.R2D2.A |
| ByteHero | 1.0.0.1 | 2011-Sep-23 | - | - |
| CAT-QuickHeal | 11.00 | 2011-Okt-07 | - | - |
| ClamAV | 0.97.0.0 | 2011-Okt-10 | Trojan.BTroj-1 | Trojan.BTroj-1 |
| Commtouch | 5.3.2.6 | 2011-Okt-10 | - | W32/R2D2.A |
| Comodo | 10407 | 2011-Okt-10 | - | Backdoor.Win32.R2D2.A |
| DrWeb | 5.0.2.03300 | 2011-Okt-10 | - | - |
| Emsisoft | 5.1.0.11 | 2011-Okt-10 | Trojan.Win32.Bundestrojaner!A2 | Backdoor.Win32.R2D2!IK |
| eSafe | 7.0.17.0 | 2011-Okt-06 | - | - |
| eTrust-Vet | 36.1.8605 | 2011-Okt-07 | - | - |
| F-Prot | 4.6.2.117 | 2011-Okt-09 | - | W32/R2D2.A |
| F-Secure | 9.0.16440.0 | 2011-Okt-10 | Backdoor:W32/R2D2.A | Backdoor:W32/R2D2.A |
| Fortinet | 4.3.370.0 | 2011-Okt-10 | - | W32/R2D2.A!tr.bdr |
| GData | 22 | 2011-Okt-10 | Backdoor.R2D2.A | Backdoor.R2D2.A |
| Ikarus | T3.1.1.107.0 | 2011-Okt-10 | - | Backdoor.Win32.R2D2 |
| Jiangmin | 13.0.900 | 2011-Okt-09 | - | - |
| K7AntiVirus | 91155258 | 2011-Okt-08 | - | - |
| Kaspersky | 9.0.0.837 | 2011-Okt-09 | Backdoor.Win32.R2D2.a | Backdoor.Win32.R2D2.a |
| McAfee | 5.400.0.1158 | 2011-Okt-10 | - | Artemis!930712416770 |
| McAfee-GW-Edition | 2010.1D | 2011-Okt-09 | - | Artemis!930712416770 |
| Microsoft | 17702 | 2011-Okt-10 | Backdoor:Win32/R2d2.A | Backdoor:Win32/R2d2.A |
| NOD32 | 6529 | 2011-Okt-10 | Win32/R2D2.A | Win32/R2D2.A |
| Norman | 6.7.2011 | 2011-Okt-09 | - | - |
| nProtect | 2011-10-10.01 | 2011-Okt-10 | - | - |
| Panda | 10.0.3.5 | 2011-Okt-09 | - | Suspiciousfile |
| PCTools | 8.0.0.5 | 2011-Okt-10 | Backdoor.R2D2 | Backdoor.R2D2 |
| Prevx | 3.0 | 2011-Okt-10 | - | - |
| Rising | 23.78.06.02 | 2011-Okt-09 | - | - |
| Sophos | 4.70.0 | 2011-Okt-10 | Troj/BckR2D2-A | Troj/BckR2D2-A |
| SUPERAntiSpyware | 4.40.0.1006 | 2011-Okt-08 | - | - |
| Symantec | 20111.2.0.82 | 2011-Okt-10 | Backdoor.R2D2 | Backdoor.R2D2 |
| TheHacker | 6.7.0.1.318 | 2011-Okt-09 | - | - |
| TrendMicro | 9.500.0.1008 | 2011-Okt-09 | - | - |
| TrendMicro-HouseCall | 9.500.0.1008 | 2011-Okt-10 | - | BKDR_R2D2.A |
| VBA32 | 3.12.16.4 | 2011-Okt-07 | - | - |
| VIPRE | 10718 | 2011-Okt-10 | - | Trojan.Win32.Generic!BT |
| ViRobot | 2011.10.10.4710 | 2011-Okt-10 | - | - |
| VirusBuster | 14.1.3.0 | 2011-Okt-09 | - | - |
Scans done Monday morning around 8:00.