Can you trust your antivirus solution to protect you against governmental backdoors and "lawful interception" police Trojans?

[ShyWriter]

.

Can you trust your antivirus solution to protect you against governmental backdoors and "lawful interception" police Trojans?

By Adrian Kingsley-Hughes | October 8, 2011, 4:06pm PDT

Summary: Who can you trust to protect your systems from governmental snooping?

Any antivirus tool worth its salt should offer you comprehensive protection against malware created by bad guys who are out to do you harm. But what about protecting you against governmental backdoors or “lawful interception” police Trojans?

The Chaos Computer Club, a group of well-respected German hackers, have discovered in the wild what they claim is a backdoor Trojan created by the German government which is being used as ‘a lawful interception malware program’.

The largest European hacker club, “Chaos Computer Club” (CCC), has reverse engineered and analyzed a “lawful interception” malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.

CCC analysis of the Trojan can be found here [PDF, German].

Security firm F-Secure has analysed the Trojan and come to the following conclusions:

The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.

The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.

In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 and 207.158.22.134.

We do not know who created this backdoor and what it was used for.

We have no reason to suspect CCC’s findings, but we can’t confirm that this trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.

Pretty serious stuff. So who can you trust to protect you from ‘government’ malware? Well, I was impressed by F-Secure’s statement on detecting governmental backdoors or “lawful interception” police Trojans:

In late 2001, F-Secure Corporation received various queries on our standpoint regarding the possibility of spying programs developed by various governments. Much of this discussion was generated by media coverage on rumored backdoor trojan known as “Magic Lantern”, developed by FBI or NSA in USA. Discussion was increased as several US-based anti-virus vendors made comments implying they would on purpose leave a backdoor in their anti-virus products to allow such a spying program to work.

Thus, F-Secure Corporation would like to make known that we will not leave such backdoors to our F-Secure Anti-Virus products, regardless of the source of such tools. We have to draw a line with every sample we get regarding whether to detect it or not. This decision-making is influenced only by technical factors, and nothing else, but within the applicable laws and regulations, in our case meaning EU laws.

We will also be adding detection of any program we see that might be used for terrorist activity or to benefit organized crime. We would like to state this for the record, as we have received queries regarding whether we would have the guts to detect something obviously made by a known violent mafia or terrorist organization. Yes we would.

That’s good to know!

F-Secure detects this new malware as Backdoor:W32/R2D2.A, the name R2D2 comes from a string inside the trojan: “C3PO-r2d2-POE”. A string used internally by the Trojan to initiate data transmission.

Do you trust your antivirus solution to protect your systems from governmental snooping?

Source: http://www.zdnet.com...e-trojans/15280

--END

Shy

[Comprev]

Thanks for that Steve!

[Guest spc3rd]

An interesting article Steve!

It just reinforces what I'm certain many people are aware of, namely since the U.S. Patriot Act was passed, it gave the government increased, broad-sweeping, powers to eavesdrop and intrude into everyone's life. Your phone conversations (landline & wireless), text messaging, Internet, bank records, medical/dental records...nothing is private anymore. The NSA/CIA satellites currently in orbit right now can easily zoom in on you standing in your backyard (if you look up) and readily identify you!

You can bet the government is doing what it wants to, when it wants to...regardless of whether it is constitutional or in line with due process of law!

Thanks for posting the article!

[MAM]

OOps, somthing was faster as me, for reporting this Government Observer , well that is VEB Horch & Guck 3.0 RC1, or i am wrong.

MAM

[ShyWriter]

Thanks Comprev and Pete.. Always a pleasure to spread the word.

Steve

[exile360]

The last I heard, Eugene Kaspersky of Kaspersky Labs said they refused to whitelist backdoors used by government agencies (one by the FBI as I recall) when they were asked to even though most AV vendors had complied with the FBI's request because he felt that it was their job to protect users from any such threat, regardless of the source or intended use, though that policy may have changed.

[mountaintree16]

Wow.

Exile,

good to know

[GT500]

The last I heard, Eugene Kaspersky of Kaspersky Labs said they refused to whitelist backdoors used by government agencies (one by the FBI as I recall) when they were asked to even though most AV vendors had complied with the FBI's request because he felt that it was their job to protect users from any such threat, regardless of the source or intended use, though that policy may have changed.

The FBI... has ways... of changing corporate policies...

[exile360]

The FBI... has ways... of changing corporate policies...

In the US, yes, but I'm not too sure about a company based in Russia.

[ShyWriter]

OOps, somthing was faster as me, for reporting this Government Observer , well that is VEB Horch & Guck 3.0 RC1, or i am wrong.

Took me forever to decipher that. My German sucked in 1955 and I never got any better at it. The languages learning part of my brain has been disconnected since well before I took Latin in HS and barely got out with a D The Ministry of State Security.. the Stasi.. Yep; the more they go, the more they know. You, sir, are not wrong at all. The walls came down but the spies on all sides still slink in the dark; yes?? I think the "Clipper Chip" was the first attempt to get at us (American "us" as opposed to everyone else) from our own *people*..

Echelon now takes care of us.. ALL of us.. as well as ALL of you (plural)..

Steve

EDIT: After Al Gore "invented" the internet he was smack dab in the middle of the Clipper Chip committee deliberations.

Edited October 10, 2011 by ShyWriter

[GT500]

In the US, yes, but I'm not too sure about a company based in Russia.

Why would Kaspersky be allowed to sell software in the United States if it did not comply with the U.S. government? Remember, we live in a police state, and not a free country.

Really just depends on how upset the FBI was about it. If they want you to do something, then they can force you to do it, usually by applying political pressure to the government in your home country or by pulling the strings to restrict your ability to sell/buy/etc. in the USA.

[exile360]

Why would Kaspersky be allowed to sell software in the United States if it did not comply with the U.S. government? Remember, we live in a police state, and not a free country.

Really just depends on how upset the FBI was about it. If they want you to do something, then they can force you to do it, usually by applying political pressure to the government in your home country or by pulling the strings to restrict your ability to sell/buy/etc. in the USA.

Yep, good point, but as I understand it (at least the way things currently work), they can only get such items whitelisted by request from AV vendors, not by force (i.e., there's no legal way for them to force AV's to not detect their backdoors etc., at least none that I've ever heard of them pursuing, most AV vendors just comply because it is a request from a government agency).

[ShyWriter]

Why would Kaspersky be allowed to sell software in the United States if it did not comply with the U.S. government? Remember, we live in a police state, and not a free country.

Really just depends on how upset the FBI was about it. If they want you to do something, then they can force you to do it, usually by applying political pressure to the government in your home country or by pulling the strings to restrict your ability to sell/buy/etc. in the USA.

Arthur; it's the black helicopters, no access to lawyers or a phone call, semi-permanent "disappeared" status among other things that scare the be'jesus out of me..

As for police state, we're not as bad (YET) as the former East Germans Ministry of State Security and the before-the-wall-came-down Russian KGB.

Then there's the people put away for Marijuana distribution/sale that pull more jail time than actual drug dealers and murderers. Wait; sorry; that's another story.. nevermind.

Steve

[exile360]

Getting a bit OT here, remember, this isn't about the government or its policies, it's about antivirus vendors and their response to requests made by government agencies .

[MAM]

Can you trust your antivirus, really ?

Please read this, Anti-virus software fails to deal with government trojan, Source: http://www.h-online.com/security/news/item/Anti-virus-software-fails-to-deal-with-government-trojan-1360015.html

What is your opinion ?

MAM

[cnm]

However, a test conducted by The H's associates at heise Security on Monday found that programs such as Ikarus, Panda, Trend Micro and McAfee stopped issuing alerts as soon as even a minimal change was made to the file. The testers simply replaced the capital O in the "DOS" string with a small o.

http://www.h-online.com/security/news/item/Anti-virus-software-fails-to-deal-with-government-trojan-1360015.html