Two weeks later things have changed considerable. Several German states acknowledged that the backdoor was used by German police forces to spy on communication software installed on computers. According to the news spyware programs were in use since 2009.

The initial analysis of the contents was far from complete. Security experts at F-Secure and Kaspersky posted the results of their analysis recently which offer a more detailed view of the malware’s capabilities.

Kaspersky discovered that the trojan installer supports both 32-bit and 64-bit Windows operating systems. Experts previously assumed that only 32-bit systems could be targeted by it.

The second finding is a list of applications that the trojan has been designed to monitor. This list is larger than the initial list that the Chaos Computer Club published. A total of 15 applications are listed, including Firefox, Explorer, Opera, Skype, Microsoft Messenger, ICQ and Yahoo Messenger.

The trojan injects code into those processes:

Code injection into target processes is carried out by the dropper, two user-mode components and also a 32 bit kernel driver with extended functionality compared to the version previously analyzed, which only provided an interface for registry and file system modifications. This new driver starts an additional thread that constantly loops over the current list of running processes and injects a DLL into each whose image name matches an entry from the following list:

The 64-bit Kernel driver is limited in its functionality compared to the 32-bit component.

Contrary to the 32 bit version, the 64 bit driver does not contain any process infection functionality but only provides a rudimentary privilege escalation interface through file system and registry access. Similar to its brother, it creates a device and implements a basic protocol for communicating with user-mode applications.

Kaspersky identified the a 1024 bit RSA certificate issued by Goose Cert on April 11, 2010.

The F-Secure blog has more information on how the backdoor was installed on target systems.

In one case, the trojan was installed on a suspect’s laptop while he was passing through customs & immigration at the Munich International airport.

The existence of a 64-bit component, the monitoring of additional processes and information on how the trojan was installed on systems confirms that there has been more to that state sponsored trojan than initially assumed. The majority of security software available should detect the backdoor by now.

The alternative is an application like F-Secure’s Online Scanner which can be started from a web browser. This particular application is a Java app which means that the latest Java Runtime Environment (JRE) needs to be installed on the system.

Users can visit the official website to start a scan of their computer system right away. The online application uses up to date virus and threat definitions that F-Secure maintains for all of their products.

When you start the online app you are asked to select a scan mode. Available for selection are quick scan, which only scans the most important files and folders of the system, a full scan or a custom scan. Custom scan can be configured on an extra screen in the program interface.

Here it is then possible to scan all or only selected folders and file types. The program itself will scan for malware, spyware, rootkits using a database of known virus signatures and heuristics to identify unknown threats.

The program then downloads files from the Internet which may take some time depending on the Internet connection. The scan time depends largely on the selected mode and the speed of the system.

The application displays a summary after the scan highlighting potentially malicious files. These files can be deleted from the system and send to F-Secure as a sample (handy if heuristics identified an unknown threat that F-Secure has no information about).

The program is easy to use and comes with enough customizations for advanced uses. I would not recommend relying solely on online scanners for security though, but would recommend them for additional security scans on a regular basis. You can check out our overview of online virus scanners here.

F-Secure Anti-Theft For Mobile is a free security software for cell phones running Symbian OS, Windows Mobile or Android. It offers several options to take control of the situation.

The key features of Anti-Theft for Mobile are the ability to remotely lock the cell phone, locate it and to wipe its data in case it looks like the phone is lost forever.

anti theft for mobile

The software reacts on remote commands send via SMS to the phone. Here are the available commands and their action:

• Send #lock#YourCode to the stolen or lost phone. Will lock the phone, only option to unlock it is to enter the correct password.
• Send #locate#YourCode to the phone. Locates the phone and displays a link to Google Maps that can be used to find out where the phone is located.
• Send #wipe#YourCode to the phone to delete all confidential data on the phone.

F-Secure Anti-Theft For Mobile will immediately lock the phone if the SIM card is changed in the phone. The new cell phone number is automatically send to the owner of the phone.

Take a look at the following video that visualizes all the features.

F-Secure Anti-Theft For Mobile is available for free at the F-Secure website. A more advanced version is available for upgrade adding additional security features like a firewall or virus protection. (via Techmixer)

Here is how Mikko describes what happended in his blog: He posted a warning about a new MySpace phishing website two month ago as a tweet using his Twitter account. This message contained an unclickable url of the phishing website to warn users and spread the word.

Twitter, after two months, figured that the url was a phishing url and made the decision to suspend the account. It is not clear if this was an automatic or manual suspension. The Twitter account of Mikko was restored after two days and the following explanations was given:

I’ve unsuspended your acct.
You were suspended for using the malware URL rnyspeceDOTcom in DMs.
Be careful!
We scan evrythng for malware.

To make matters worse all of his followers and people that he followed were not restored. Both counts showed 0.

The whole incident raises several questions:

• Why was the Twitter account banned after two months and not immediately?
• Why did no one notify the Twitter user about the suspension
• Why did it take two days to restore the account
• Why can’t the followers and followed be restored

Twitter’s reaction fell short and put the blame on the Twitter user rather on an ineffective way of handling the incident. Until things change Twitter users should be very careful what they post in Twitter.

The following links point to antivirus software programs that can be downloaded as trial versions. These trial versions can be used for either 30 days or 90 days without payment.

Which antivirus software developers are offering 90 day trials?

• McAfee VirusScan Plus [link]
• McAfee Internet Security [link]
• McAfee Total Protection [link]
• Norton Antivirus [link]
• Norton 360 [link]

Which antivirus software developers are offering 30 day trials?

• Kaspersky Antivirus [link]
• Kaspersky Internet Security [link]
• Bitdefender Antivirus [link]
• Bitdefender Total Security [link]
• Bitdefender Internet Security [link]
• ESET Smart Security [link]
• ESET Nod32 Antivirus [link]
• Trend Micro Internet Security Pro [link]
• Trend Micro Internet Security [link]
• Panda Security Antivirus [link]
• Panda Antivirus Pro [link]
• F-Secure Internet Security [link]
• F-Secure Antivirus [link]

Please let us know in the comments if we have missed a product.

Some notes: This article does not rate the antivirus software programs. There might be free programs out there that are comparable to the listed antivirus products. The only problem with this method is that users need to install different antivirus software regularly. This not only means more work for the user but also the requirement to get used to new software products.

Many antivirus companies are running promotions every now and then that offer longer trial versions for download. This will obviously help tremendously.

Any thoughts or ideas?

Area two will do the same for backup software. It will list installed backup software and inform the user about the state that the installations are in. Area three which is probably the most interesting one to many Windows users will check various critical software programs and compare their version with the one in the F-Secure database. Health Check in this step checks programs like Microsoft’s Internet Explorer, the Adobe Flash plugin, Mozilla’s Firefox or Sun’s Java runtime.

The information in the solution tab obviously depend on the results of the system scan. A solve button will be displayed if problems have been found in one of the areas that have been investigated by the program. The solutions do fall a bit short, at least in the security tab as the program suggests to use F-Secure products to solve the problem.

It is only natural that a company wants to promote their products. The web application would however be useful to more users if they would have added some choice to the diagnosis. The new beta version of F-Secure Health Check 2 has ditched Microsoft’s ActiveX technology for Java. This means that it is now compatible with a wider range of Internet browsers. The developers list Internet Explorer and Firefox only but it has been successfully tested with Google Chrome as well which increases the chance that other web browsers that support Java will run the application fine as well.

Users who want to give F-Secure Health Check 2 Beta a try can go to the F-Secure website to run it from there.

Some plugins and add-ons help against these types of exploits and attacks. Notable is for instance the NoScript add-on for the Firefox web browser which disables script unless the user has explicitly given permission. The problem with these exploits on the other hand is that they might appear on trusted websites in the form of manipulated banner advertisement.

F-Secure Exploit Shield could be the solution against most of these attacks and exploits. The security software program, which is currently offered as a beta version for Microsoft’s Internet Explorer and Mozilla Firefox, uses a vulnerability shield and proactive measures to protect computer systems against these forms of attacks,

Vulnerability shields offer patch equivalent protection. They are usually hotfixes created by F-Secure employees that protect against known web browser exploits. The proactive shield on the other hand uses heuristics to identify and block unknown or unidentified web browser exploits.

F-Secure Exploit Shield can be downloaded from the Labs section of the company’s website. It is currently compatible with 32-bit editions of Windows XP, Windows Vista and Windows 7 and protects Mozilla Firefox and Internet Explorer web browsers on these computer systems.

An Active X control has to be downloaded prior to the scan. A health report is generated in the end that is displaying red, yellow and green icons in various categories. Red items are critical, yellow medium and green safe. My test results have been mixed. I did receive several red icons in some categories because of programs that were not included in my security concept. The red icon in the security products category for instance was there because of the disabled Windows Firewall and no other firewall that was installed.

It did not detect the hardware firewall of my router. What I want to say is that even though some elements are marked as insecure they might not be in your special case. Another example was the yellow icon in the Sending Mail category which was there because of an old backup version of Eudora 5 which I do not use anymore. I think I did receive a yellow rating because of two up-to-date email applications (Thunderbird and Outlook Express).

The most interesting categories in my opinion are the following two: Opening multimedia files and documents & Using other programs. It did detect some outdated applications (that I do not use regularly or forgot about). What I really like is the option to solve the issue right away by clicking on the solve button. This normally leads to a page where the updated application or patch can be downloaded.

It does not take long to update all the applications listed this way. F-Secure Health Check is an interesting service that excels in solving issues that have been found. A pity that it only works in Internet Explorer and that it requires Active X.