Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

German Government Paid €2M for R2D2 Malware

New information from F-Secure shows that the German government appears to have paid €2 million Euros for the Federal Trojan, which the CCC analyzed and publicly reported on last weekend. In addition, several German states have confirmed the software’s usage, according to local media.

New information from F-Secure shows that the German government appears to have paid €2 million Euros for the Federal Trojan, which the CCC analyzed and publicly reported on last weekend. In addition, several German states have confirmed the software’s usage, according to local media.

A report from Germany’s Deutsche Welle includes a roundup of several regional news items, which state that the “Bundestrojaner” (“Federal Trojan”), R2D2, has been used for years. The officials speaking on the matter stick to the point that each instance where the Trojan fell within the law. The most recent installations involved drug related cases. 

German Government SpywareOfficially, the software’s name is Skype Capture Unit; the Federal Trojan and R2D2 names come from the CCC’s report. Examining the installer, F-Secure was able to determine that the malware was written by a company called Digitask from the city of Haiger, Germany. The German government paid the company €2,075,256.07 for the software contract.  

In a 20-page report on the malware, the CCC says that it was said to be used for lawful interception only, allowing German authorities the ability to monitor VoIP communications. However, after static analysis, the CCC learned there was far more to the program than Skype.

In addition to recording Skype calls via court order, R2D2 will also eavesdrop on MSN messenger, Yahoo Messenger, and ICQ. Moreover, it can capture keystrokes in Opera, Firefox, Internet Explorer, and SeaMonkey. Lastly, it will take screenshots of what is on the screen at the time, in low quality JPEG format.

The overall functionality of R2D2, “…refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired [by German authorities],” commented a CCC speaker.

“Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system.”

The CCC was dismayed to discover that R2D2’s poor development and code essentially allows anyone access to an infected host. For their research, the CCC was able to develop their own control tool to manage the software.

“This complete control over the infected PC – owing to the poor craftsmanship that went into this trojan – is open not just to the agency that put it there, but to everyone,” the CCC’s report added.

In response to the CCC’s findings, as well as the media storm concerning its usage, the German Justice Minister, Sabine Leutheusser-Schnarrenberger, has called for an investigation.

“Trying to play down or trivialize the matter won’t do,” the Justice Minister said in a statement, while advising against blanket judgments.

“The citizen, in both the public and private spheres, must be protected from snooping through strict state control mechanisms.”

When it comes to detection, both F-Secure and Sophos, and now ESET will detect the R2D2 code on client systems. Other vendors likely have generic detections, given that the code for R2D2 was submitted to VirusTotal service in 2010.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Cybercrime

Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.