Monday, October 10, 2011

German 'Government' R2D2 Trojan FAQ

Via Naked Security Blog (Sophos) -

What has happened?
A Trojan horse has been discovered that is capable of spying on Skype internet calls, monitoring the online activity of infected computers, logging keystrokes, and updating its functionality via the net. The Trojan, which most anti-virus vendors are calling "R2D2", but is also referred to as "0zapftis" or "Bundestrojaner", was announced by the famous Chaos Computer Club (CCC).
Why is the Trojan called R2D2?
The name comes from a string of characters embedded inside the Trojan's code: C3PO-r2d2-POE
Where did the CCC get the malware from?
German lawyer Patrick Schladt has told the media that the Trojan horse was found on the hard disk of one of his client's computers.

The malware was allegedly installed onto the computer as it passed through customs control at Munich Airport.

Schaldt was defending his client against charges that fall under German law related to pharmaceuticals.

When the suspect and his legal team examined the digital evidence against them they found evidence that suggested a Trojan had been present - and the hard disk was shared with the CCC with the permission of Schladt's client.

The CCC were able to use forensic software to restore deleted files from the hard drive, uncovering the R2D2 Trojan horse.
Why is the Trojan so newsworthy?
The CCC implies that the malware was created for, and is being used by, German law enforcement authorities such as the BKA and LKA. Furthermore, Schaldt claims that the Customs department was also involved in the planting of the malware.

Shouldn't you guys work with the law enforcement agencies and deliberately not detect their malware?
We detect all the malware that we know about - regardless of who its author may be. So, SophosLabs adds protection against attacks on our customers' computers regardless of whether they may be state-sponsored or not.

If you think about it - there is no sensible alternative. What's to stop a cybercriminal commandeering a law enforcement Trojan and using it against an innocent party?

Our customers' protection comes first. If the authorities want us to not detect their malware, the onus is on them to try to write something that we can't detect, not for us to cripple our software.


Several German States Admit Use of Controversial Spy Software,,15449054,00.html

Three additional German states have admitted to deploying spyware in order to investigate serious criminal offenses, according to regional media sources.

The interior ministers of the states of Baden-W├╝rttemberg, Brandenburg and Lower Saxony said that regional police had used the software within the parameters of the law. In Lower Saxony, the software has been in use for two years, according to the public broadcaster NDR.

Authorities in Brandenburg, meanwhile, told the daily Berliner Morgenpost that they are currently using the spyware in a single, on-going investigation. Baden-W├╝rttemberg has also used such software to investigate "individual cases," according to the Badische Zeitung.

Officials in the southern German state of Bavaria were the first to confirm late Monday that their agencies have been using a spyware program since 2009. It remains unclear whether all four states had been using the same software or not.


On Oct 10th, Microsoft added signatures for the R2D2 trojan, following the lead of most other AV vendors.

Three samples outlined by Sophos on VirusTotal...

Sample 1: SHA-1 = 7bd8d737460c1dbbfc4b250fb1b6b906ed643a2d
Sample 2: SHA-1 = e4f07b5a443cd99fd45cb5e1445ac2c1be4b455e
Sample 3: SHA-1 = a6a0f45180f5b3390ee2ef21fe4b89813ed641f4

No comments:

Post a Comment