Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

F-Secure and Sophos Detecting Germany’s “R2D2 Malware”

Finnish security vendor F-Secure, along with the U.K.’s Sophos, have each pledged to detect a new backdoor, allegedly developed and used by the German government. The news comes via the Chaos Computer Club (CCC) in Germany, who released a report about the malware on Saturday.

Finnish security vendor F-Secure, along with the U.K.’s Sophos, have each pledged to detect a new backdoor, allegedly developed and used by the German government. The news comes via the Chaos Computer Club (CCC) in Germany, who released a report about the malware on Saturday.

In a 20-page report on the malware, the CCC says that it was said to be used for lawful interception only, allowing German authorities the ability to monitor VoIP communications. However, after static analysis, the CCC learned there was far more to the program than Skype.

In addition to recording Skype calls via court order, which is the stated purpose of the “Bundestrojaner” (“Federal Trojan”), R2D2 will also eavesdrop on MSN messenger, Yahoo Messenger, and ICQ.

Moreover, it can capture keystrokes in Opera, Firefox, Internet Explorer, and SeaMonkey. Lastly, it will take screenshots of what is on the screen at the time, in low quality JPEG format.

The name of the malware, R2D2, comes from the source code of the DLL itself. In the DLL, the function that triggers data transmission is named C3PO-r2d2-POE. When communicating, the malware uses weak crypto and sends data to servers hosted in the U.S. As the CCC points out, this is shoddy privacy and security work. To make matters worse, so poor is the design, anyone can access infected hosts remotely, with some basic legwork.

The overall functionality of R2D2, “…refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired [by German authorities],” commented a CCC speaker.

“Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system.”

In response, F-Secure and Sophos have stated that their products will detect the R2D2 code.

“We detect all the spyware that we know about – regardless of who its author may be. So, SophosLabs adds protection against attacks on our customers’ computers regardless of whether they may be state-sponsored or not,” Graham Cluley wrote on Sunday.

Likewise, F-Secure pointed to their corporate policy, which states in part that it would detect, “…of any program we see that might be used for terrorist activity or to benefit organized crime.”

Given that the poor design of R2D2 allows external access to an infected host, this clause applies. However, F-Secure’s Mikko Hypponen added that, “We have never before analyzed a sample that has been suspected to be governmental backdoor. We have also never been asked by any government to avoid detecting their backdoors. Having said that, we detect this backdoor as Backdoor:W32/R2D2.A.”

The German government has yet to respond to the situation, or claim the code as theirs. Given the attention and the nature of the story itself, a response is expected early this week.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...