Security Experts:

German Government Paid €2M for R2D2 Malware

New information from F-Secure shows that the German government appears to have paid €2 million Euros for the Federal Trojan, which the CCC analyzed and publicly reported on last weekend. In addition, several German states have confirmed the software’s usage, according to local media.

A report from Germany’s Deutsche Welle includes a roundup of several regional news items, which state that the "Bundestrojaner" ("Federal Trojan"), R2D2, has been used for years. The officials speaking on the matter stick to the point that each instance where the Trojan fell within the law. The most recent installations involved drug related cases. 

German Government SpywareOfficially, the software’s name is Skype Capture Unit; the Federal Trojan and R2D2 names come from the CCC’s report. Examining the installer, F-Secure was able to determine that the malware was written by a company called Digitask from the city of Haiger, Germany. The German government paid the company €2,075,256.07 for the software contract.  

In a 20-page report on the malware, the CCC says that it was said to be used for lawful interception only, allowing German authorities the ability to monitor VoIP communications. However, after static analysis, the CCC learned there was far more to the program than Skype.

In addition to recording Skype calls via court order, R2D2 will also eavesdrop on MSN messenger, Yahoo Messenger, and ICQ. Moreover, it can capture keystrokes in Opera, Firefox, Internet Explorer, and SeaMonkey. Lastly, it will take screenshots of what is on the screen at the time, in low quality JPEG format.

The overall functionality of R2D2, “...refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired [by German authorities]," commented a CCC speaker.

“Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system.”

The CCC was dismayed to discover that R2D2’s poor development and code essentially allows anyone access to an infected host. For their research, the CCC was able to develop their own control tool to manage the software.

“This complete control over the infected PC – owing to the poor craftsmanship that went into this trojan – is open not just to the agency that put it there, but to everyone,” the CCC’s report added.

In response to the CCC’s findings, as well as the media storm concerning its usage, the German Justice Minister, Sabine Leutheusser-Schnarrenberger, has called for an investigation.

“Trying to play down or trivialize the matter won't do,” the Justice Minister said in a statement, while advising against blanket judgments.

“The citizen, in both the public and private spheres, must be protected from snooping through strict state control mechanisms.”

When it comes to detection, both F-Secure and Sophos, and now ESET will detect the R2D2 code on client systems. Other vendors likely have generic detections, given that the code for R2D2 was submitted to VirusTotal service in 2010.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.