'Government' backdoor R2D2 Trojan discovered by Chaos Computer Club

Filed Under: Law & order, Malware, Privacy

The famous Chaos Computer Club (CCC) has announced the discovery of a backdoor Trojan horse capable of spying on online activity and recording Skype internet calls which, it says, is used by the German police force.

The malware - which has been variously dubbed "0zapftis", "Bundestrojaner" or "R2D2" - is likely to kick up a political storm, if the allegations are true.

Article by Chaos Computer Club

For some years, German courts have allowed the police to deploy a Trojan known colloquially as "Bundestrojaner" ("State Trojan") to record Skype conversations, if they have legal permission for a wiretap.

But the CCC's claim is controversial, as the Trojan they have uncovered has more snooping capabilities than that. For instance, it includes functionality to download updates from the internet, to run code remotely and even to allow remote access to the computer - something specifically in violation of Germany's laws.

Sophos's analysis of the malware confirms that it has the following functionality:

* The Trojan can eavesdrop on several communication applications - including Skype, MSN Messenger and Yahoo Messenger.
* The Trojan can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey.
* The Trojan can take JPEG screenshots of what appears on users' screens and record Skype audio calls.
* The Trojan attempts to communicate with a remote website.

Backdoor trojan code

A CCC spokesperson expressed the group's concern at the discovery:

"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice - or even desired. Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."

Was the Trojan horse really written by the German authorities?
We have no way of knowing if the Trojan was written by the German state - and so far, the German authorities aren't confirming any involvement.

The comments in the Trojan's binary code could just as easily be planted by someone mischievously wanting the Trojan to be misidentified as the infamous the Bundestrojaner.

What we can say is that the phrase "0zapftis" has raised some eyebrows amongst the German speakers at SophosLabs. It's a play on a Bavarian phrase "The barrel is open", said by the mayor of Munich when he opens the first barrel of beer at the Oktoberfest.

But there certainly have been claims of German state-sponsored cyber-spying in the past. For instance, in 2008, there were claims that the BND - Germany's foreign intelligence service - deployed spyware to monitor the Ministry of Commerce and Industry in Afghanistan.

In many ways, I'm reminded of the kerfuffle which occurred almost ten years ago when there were concerns that the FBI would ask anti-virus companies to deliberately not detect spyware that they had written - dubbed "Magic Lantern".

Sophos's position now is the same as it was back then. We detect all the spyware that we know about - regardless of who its author may be. So, SophosLabs adds protection against attacks on our customers' computers regardless of whether they may be state-sponsored or not.

If you think about it - we have no other option. Because what's to stop a bad guy taking commandeering the spying code and using it against an innocent party? Our customers' protection comes first. If the authorities want us to not detect their malware, the onus is on them to try to write something that we can't detect, not for us to cripple our software.

So, Sophos detects the malware as Troj/BckR2D2-A. As our friends from F-Secure explain, the cute "R2D2" name comes from a string embedded inside the malware's code.

Further reading: German 'Government' R2D2 Trojan FAQ

, , , , , , , , ,

You might like

5 Responses to 'Government' backdoor R2D2 Trojan discovered by Chaos Computer Club

  1. As someone else has pointed out, the string C3PO-r2d2-POE is found inside the DLL. I took a cursory look at the strings and I see the string "23CCC23". "23" = the German movie about Karl Koch, who was associated with the CCC, then "CCC", then "23" again?
    ############
    23CCC23
    3.4.26
    skype.exe
    seamonkey.exe
    navigator.exe
    opera.exe
    iexplore.exe
    firefox.exe
    %d.%d.%d.%d
    DUMMY!DUMMY
    SYS!ICP!94062
    C3PO-r2d2-POE
    %s %d
    CONNECT %s:%d HTTP/1.0

    • Engywuck · 1056 days ago

      the CCC changed some strings in the file to protect its sources, see http://ccc.de/de/updates/2011/addendum-staatstroj... (in german):

      4C383h -> unsigned char case_identifier[13] = "23CCC23"
      - ASCII-Zeichenkette mit eindeutigem Aktenzeichen. Modifiziert zum Quellenschutz

      (ASCII-string with unique file number. Canged to protect our source)

  2. HTS · 1058 days ago

    Here's the complete release from CCC, in german: http://www.ccc.de/system/uploads/76/original/staa...

  3. Ben · 1055 days ago

    The Trojan was written by digitask, a company owned by 'Deloitte Touche Tohmatsu Limited'.

  4. john doe · 788 days ago

    Please post a tut on finding malware on comps. I'm sure more governments, if they haven't already, will start doing things like this.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.