Security Experts:

F-Secure and Sophos Detecting Germany's "R2D2 Malware"

Finnish security vendor F-Secure, along with the U.K.’s Sophos, have each pledged to detect a new backdoor, allegedly developed and used by the German government. The news comes via the Chaos Computer Club (CCC) in Germany, who released a report about the malware on Saturday.

In a 20-page report on the malware, the CCC says that it was said to be used for lawful interception only, allowing German authorities the ability to monitor VoIP communications. However, after static analysis, the CCC learned there was far more to the program than Skype.

In addition to recording Skype calls via court order, which is the stated purpose of the "Bundestrojaner" ("Federal Trojan"), R2D2 will also eavesdrop on MSN messenger, Yahoo Messenger, and ICQ.

Moreover, it can capture keystrokes in Opera, Firefox, Internet Explorer, and SeaMonkey. Lastly, it will take screenshots of what is on the screen at the time, in low quality JPEG format.

The name of the malware, R2D2, comes from the source code of the DLL itself. In the DLL, the function that triggers data transmission is named C3PO-r2d2-POE. When communicating, the malware uses weak crypto and sends data to servers hosted in the U.S. As the CCC points out, this is shoddy privacy and security work. To make matters worse, so poor is the design, anyone can access infected hosts remotely, with some basic legwork.

The overall functionality of R2D2, “...refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired [by German authorities]," commented a CCC speaker.

“Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system.”

In response, F-Secure and Sophos have stated that their products will detect the R2D2 code.

“We detect all the spyware that we know about - regardless of who its author may be. So, SophosLabs adds protection against attacks on our customers' computers regardless of whether they may be state-sponsored or not,” Graham Cluley wrote on Sunday.

Likewise, F-Secure pointed to their corporate policy, which states in part that it would detect, “...of any program we see that might be used for terrorist activity or to benefit organized crime.”

Given that the poor design of R2D2 allows external access to an infected host, this clause applies. However, F-Secure’s Mikko Hypponen added that, “We have never before analyzed a sample that has been suspected to be governmental backdoor. We have also never been asked by any government to avoid detecting their backdoors. Having said that, we detect this backdoor as Backdoor:W32/R2D2.A.”

The German government has yet to respond to the situation, or claim the code as theirs. Given the attention and the nature of the story itself, a response is expected early this week.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.