Can you trust your antivirus solution to protect you against governmental backdoors and "lawful interception" police Trojans?

Can you trust your antivirus solution to protect you against governmental backdoors and "lawful interception" police Trojans?

Summary: Who can you trust to protect your systems from governmental snooping?

SHARE:
TOPICS: Security
21

Any antivirus tool worth its salt should offer you comprehensive protection against malware created by bad guys who are out to do you harm. But what about protecting you against governmental backdoors or "lawful interception" police Trojans?

My blogging colleague Ed Bott reports that the Chaos Computer Club, a group of well-respected German hackers, have discovered in the wild what they claim is a backdoor Trojan created by the German government which is being used as 'a lawful interception malware program'.

The largest European hacker club, "Chaos Computer Club" (CCC), has reverse engineered and analyzed a "lawful interception" malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.

CCC analysis of the Trojan can be found here [PDF, German].

[UPDATE: As Bott points out, F-Secure doesn't speculate on the origin of the backdoor, but as pointed out by the German newspaper Frankfurter Allgemeine Zeitung (Frankfurt General Newspaper), the existence of this backdoor is known in Germany as it has been publicly discussed.]

Security firm F-Secure has analysed the Trojan and come to the following conclusions:

The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.

The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.

In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 and 207.158.22.134.

We do not know who created this backdoor and what it was used for.

We have no reason to suspect CCC's findings, but we can't confirm that this trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.

Pretty serious stuff. So who can you trust to protect you from 'government' malware? Well, I was impressed by F-Secure's statement on detecting governmental backdoors or "lawful interception" police Trojans:

In late 2001, F-Secure Corporation received various queries on our standpoint regarding the possibility of spying programs developed by various governments. Much of this discussion was generated by media coverage on rumored backdoor trojan known as "Magic Lantern", developed by FBI or NSA in USA. Discussion was increased as several US-based anti-virus vendors made comments implying they would on purpose leave a backdoor in their anti-virus products to allow such a spying program to work.

Thus, F-Secure Corporation would like to make known that we will not leave such backdoors to our F-Secure Anti-Virus products, regardless of the source of such tools. We have to draw a line with every sample we get regarding whether to detect it or not. This decision-making is influenced only by technical factors, and nothing else, but within the applicable laws and regulations, in our case meaning EU laws.

We will also be adding detection of any program we see that might be used for terrorist activity or to benefit organized crime. We would like to state this for the record, as we have received queries regarding whether we would have the guts to detect something obviously made by a known violent mafia or terrorist organization. Yes we would.

That's good to know!

F-Secure detects this new malware as Backdoor:W32/R2D2.A, the name R2D2 comes from a string inside the trojan: "C3PO-r2d2-POE". A string used internally by the Trojan to initiate data transmission.

Do you trust your antivirus solution to protect your systems from governmental snooping?

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • Lack of Transparency with Windows and Proprietary Programs

    The problem with proprietary applications is the inherent lack of transparency.<br><br>The proprietary nature of applications being distributed with binaries only, machine-readable executables means that just about any kind of action can be taken by a program and remain hidden until execution occurs.<br><br>There's no way to know unless you are inclined to use a reverse assembler and understand the minutiae of assembler code.<br><br>With GNU/Linux, open source, there is always available source code to which one can refer to determine the details for how a program operates. This is a central tenet of the Free Software Foundation GNU General Public License.<br><br>It is thus extremely difficult for code to be written that would contemplate 'back doors' without it being noticed.<br><br>Ubuntu Linux GnuPG keyring-protected repository programs are vetted along with their community contributing authors before any program can be admitted for inclusion and distributed to end-users.<br><br>Transparency.
    Dietrich T. Schmitz *Your
    • RE: Can you trust your antivirus solution to protect you against governmental backdoors and

      @Dietrich T. Schmitz * Your Linux Advocate

      Let's be fair though and state that unless one happens to be a skilled programmer well versed in all different types of programming, from databases to games, one can't realistically examine all of the code. The Kernel has over 10 million lines of code! Even then, I wouldn't know for SURE that the code was what was really in the binary or that the binary hadn't been modified, requiring me to install Gentoo Linux from a Stage 1 tarball and compile every program on the system myself after having examined all of the code, including the 10 million kernel lines.

      Regarding it being extremely difficult for code to go unnoticed, in theory this is true but recall not too long ago a dangerous vulnerability was found in the x server code that would have let an exploiter gain root privileges and had been present for many years but no one had noticed it previously.

      So, Linux makes OS-level backdoors less likely, but certainly not impossible.

      Anyway, the whole article feels likes a time warp to me. As F-Secure's statement says, this discussion came up during the period of the "carnivore"/"Magic Lantern" flap, and various vendors went on record ten years ago stating that they would detect any malware, regardless of its origin. Thus, we already knew the answer to the question asked in the headline of this article.
      jgm@...
      • Extremely difficult vs. Child's Play

        @jgm@... <br>Extremely difficult doesn't mean 'impossible'.<br><br>With Windows, unless your PC is set to restrict to using signed binaries, it's child's play to have an executable do what you want provided you have managed to have an end-user unwittingly deploy your application.<br><br>Your reference is to an X server code 'vulnerability'-- not a known 'exploit' in the wild and as such isn't relevant to the current topic of explicit code written with a bent on performing 'malicious or unethical' activities, per se.
        Dietrich T. Schmitz *Your
      • RE: Can you trust your antivirus solution to protect you against governmental backdoors and

        @jgm@... <br><br>This is true, it would be too much of a task for one person to do all of that.<br><br>Which is exactly why the Linux Community is such a great thing.<br><br>With many chipping in, we can all achieve the desired result, and feel confident once we've done so.
        UrNotPayingAttention
      • RE: Can you trust your antivirus solution to protect you against governmental backdoors and

        "With Windows, unless your PC is set to restrict to using signed binaries, it's child's play to have an executable do what you want provided you have managed to have an end-user unwittingly deploy your application."

        That's blatently false. You'd have to bypass an increasingly larger number of security measures, including DEP, UAC, stack protection, kernel patch protection, file permissions, etc. Otherwise you're very restricted in what you can do.
        CobraA1
        • That has nothing to do with a user downloading voluntarily

          @CobraA1
          that 'must-have', 'great game' which playfully, silently deploys a trojan backdoor.

          If the game came from a controlled repository where all binaries are accompanied by their control source code, then one could readily identify suspicious coding before an App gets approved for addition to said repository.

          Get it?
          Dietrich T. Schmitz *Your
      • RE: Can you trust your antivirus solution to protect you against governmental backdoors and

        @Dietrich

        You're forgetting about the repository that was hacked a while ago and served a game server with a backdoor in it for MONTHS before anyone noticed. On top of that, distros like Gentoo and Sabayon basically just dump source code into their repositories... despite what has been argued here, no one's checking all of the source code before putting it into their repositories.

        "Your reference is to an X server code 'vulnerability'-- not a known 'exploit' in the wild and as such isn't relevant to the current topic of explicit code written with a bent on performing 'malicious or unethical' activities, per se. "

        It's functionally equivalent. For all you know, this "vulnerability" could have been introduced by a developer on purpose. This is like arguing that an incident where a passenger accidentally brings a loaded handgun in their carry-on luggage onto a plane isn't relevant to a discussion about how airline security prevents terrorists from intentionally bringing guns onto planes.

        "With many chipping in, we can all achieve the desired result, and feel confident once we've done so. "

        Fair enough, but let's be honest about it - in many distros and in many different areas it simply isn't being done today. It's a theoretical advantage and to the extent that it is done it provides an added layer of security, but it's not anywhere near universal (see most rolling distros, from Gentoo's code dumps to Arch's unsigned packages) nor infallible (see long-standing X server vulnerability).

        I object to certain people's ;-) advocacy to the point where they make it sound invulnerable. It's not. Heck, today TechRadar ran an article titled "20 Ways To Break Linux". And the entry "enable PulseAudio" is very, very true. :-)
        jgm@...
    • RE: Can you trust your antivirus solution to protect you against governmental backdoors and

      @Dietrich T. Schmitz * Your Linux Advocate <br><br>No one cares about Linux. Sheesh. Most distros and open source software are third rate compared to their commercialized cousins. I know of no one who wants to sit and stare at code all day long.
      The one and only, Cylon Centurion
      • Let's see

        @Cylon Centurion
        We are discussing *how* or *if* Windows users should trust their AV programs to identify hidden backdoor executables.

        Your short-sightedness keeps you from seeing that Windows is 'less than' first rate or we wouldn't be reading this story.

        There are many lessons to be learned weed-hopper. Work harder.
        Dietrich T. Schmitz *Your
      • RE: Can you trust your antivirus solution to protect you against governmental backdoors and

        @D

        <I>"We are discussing *how* or *if* Windows users should trust their AV programs to identify hidden backdoor executables."</I>

        And they do exactly that. If they didn't, then F-Secure would be here telling us about it.

        But the truth is, no one is choosing Linux. You're average Joe User, has no interest in learning code, and certainly has no interest in sitting there forever looking through it. And if they're still gullible enough to be installing crap, moving them to another OS, without fixing the underlying problem isn't going to help them. They'll just be as gullible on Linux as well. And Android has shown us, Linux isn't as invulnerable as you claim.
        The one and only, Cylon Centurion
        • Still not getting it

          @Cylon Centurion <br>How do you keep backdoors from getting into the code base in the first place?<br><br>*That* is the fundamental issue for Windows and is a key differentiator for the benefit of Transparency[1].

          ----------------------------
          [1] P.S. Nowhere did I claim 'Linux is invulnerable.'
          Dietrich T. Schmitz *Your
      • RE: Can you trust your antivirus solution to protect you against governmental backdoors and

        @Cylon Centurion
        "No one cares about Linux. Sheesh"

        For the record, that statement is patently false. And, programmers stare at code all day long. You probably don't know any, which is fine. That would be programmers and developers for Windows, MacOS, and Linux. Stop trolling and bring an intelligent perspective to the conversation.

        By the way, in case you missed it, check out this Washington Post article from a while back:
        http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html

        I'll quote a line: "But regardless of the methods used by the bank or the crooks, all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim's Windows computer."

        Those who know security, except for those who making their living selling guys like you anti-virus software, do not run Windows. See? i responded and also linked a relevant post to the conversation. That's how you discuss things on the Internet ;)
        dequire
    • RE: Lack of Transparency with Windows and Proprietary Programs

      @Dietrich T. Schmitz * Your Linux Advocate<br><br>Which of the Free GNU/Linux distros do you use, gNewSense, Trisquel? There are more listed here:<br><br><a href="http://www.gnu.org/distros/free-distros.html" target="_blank" rel="nofollow"><a href="http://www.gnu.org/distros/free-distros.html" target="_blank" rel="nofollow">http://www.gnu.org/distros/free-distros.html</a></a><br><br>One could also use Debian and eschew the non-free repository (as well as the unofficial multimedia repository). Ubuntu, which you often recommend, is not even close. Even SJVN has referred to Ubuntu as 'proprietary' Linux. And periodically takes potshots at Stallman. Hmmm ... what if a three-letter agency approached Adobe with a 'tweak' for Flash Player?<br><br>Also, you have previously touted LSM in the Linux kernel wrt AppArmor. Guess what three-letter agency worked hard to include SELinux in the Linux kernel? And guess how it was implemented? The grsecurity dev has publicly warned that the LSM hooks in the kernel "will allow for a new generation of sophisticated backdoors and rootkits that will be nearly impossible to detect":<br><br><a href="http://grsecurity.net/lsm.php" target="_blank" rel="nofollow"><a href="http://grsecurity.net/lsm.php" target="_blank" rel="nofollow">http://grsecurity.net/lsm.php</a></a><br><br>Now, do the math.<br><br>Back on topic, if these governmental organizations want access to one's PC, they will get it. One way or another. No matter the OS.
      Rabid Howler Monkey
    • RE: Can you trust your antivirus solution to protect you against governmental backdoors and

      @Dietrich T. Schmitz * Your Linux Advocate

      You really don't have any modern software or that many applicaitons do you? ;-)

      I could also go back to an abacus, but the games suck.
      tonymcs@...
  • RE: Can you trust your antivirus solution to protect you against governmental backdoors and

    Well, seeing as how most security companies are third parties.... yes.
    The one and only, Cylon Centurion
  • RE: Can you trust your antivirus solution to protect you against governmental backdoors and

    And its a good thing that EU has at least some people with common sense, so EU laws shouldnt be much trouble. They even have pirate party members there!
    nettimies
  • RE: Can you trust your antivirus solution to protect you against governmental backdoors and

    I use both Linux & Windows - truth told, I feel much safer on with Linux :)

    I also use F-Secure on two laptops and a main workstation and it is great AV for Windows.
    teksquisite
  • A decent Firewall program

    should at the very least tell you that a program is attempting to open ports. This is what normally leads me to investigate the application and if need be reverse engineer is to see where it came from and what it is trying to do.

    If your firewall is doings it's job you should be notified and that is when you can take action. Mcafee thus far has been invaluable to me in this context.
    DS-Solutions
    • RE: Can you trust your antivirus solution to protect you against governmental backdoors and

      @DS-Solutions

      The default Windows 7 firewall does the same. It throws up flags every time I download a Google Earth update. I have to go in and allow it each time.
      The one and only, Cylon Centurion
  • What prevents the government from issuing a national security letter?

    What prevents the government from issuing a national security letter to the anti virus companies? These letters come with its own gag order built in to prevent disclosure that one was even issued.
    H78f4KsfbBiFqJq