German 'Government' R2D2 Trojan FAQ

Filed Under: Law & order, Malware, Privacy

This is not the R2D2 you are looking forWhat has happened?
A Trojan horse has been discovered that is capable of spying on Skype internet calls, monitoring the online activity of infected computers, logging keystrokes, and updating its functionality via the net.

The Trojan, which most anti-virus vendors are calling "R2D2", but is also referred to as "0zapftis" or "Bundestrojaner", was announced by the famous Chaos Computer Club (CCC).

Why is the Trojan called R2D2?
The name comes from a string of characters embedded inside the Trojan's code:

C3PO-r2d2-POE

Where did the CCC get the malware from?
German lawyer Patrick Schladt has told the media that the Trojan horse was found on the hard disk of one of his client's computers.

Munich airport customsThe malware was allegedly installed onto the computer as it passed through customs control at Munich Airport.

Schaldt was defending his client against charges that fall under German law related to pharmaceuticals.

When the suspect and his legal team examined the digital evidence against them they found evidence that suggested a Trojan had been present - and the hard disk was shared with the CCC with the permission of Schladt's client.

The CCC were able to use forensic software to restore deleted files from the hard drive, uncovering the R2D2 Trojan horse.

Why is the Trojan so newsworthy?
The CCC implies that the malware was created for, and is being used by, German law enforcement authorities such as the BKA and LKA. Furthermore, Schaldt claims that the Customs department was also involved in the planting of the malware.

Who are the BKA and LKA?
The BKA (Bundeskriminalamt) is Germany's federal crime investigation agency. In addition, there are 16 LKAs (Landeskriminalamt) which act as state investigation bureaus.

The BKA has said that the files uncovered by the CCC, are not related to them. That's not to say, of course, that the BKA hasn't used spyware in other cases - just that they are officially denying a connection to the malware in this case.

Steffen Seibert, a spokesperson for the federal government, used Twitter to deny BKA involvement:

The LKA divisions, meanwhile, have not commented.

Police using spyware sounds controversial
It is. You can imagine why privacy advocates get the heebie-jeebies at the thought of police investigators being able to spy on computer activity without the user's knowledge.

Is it legal for the German authorities to spy on citizen's computers with a Trojan horse?
Under German law the police are allowed to use spyware to snoop on suspected criminals - but only under strict guidelines. For instance, authorities have to seek legal approval for an equivalent to a phone wiretap to record Skype conversations before they are encrypted.

Germany's Federal Constitutional Court has put in place strict legal guidelines which are supposed to limit what investigators' spying software can do. For instance, although recording Skype conversations is permissible, the spyware must not alter any code on the suspect's computer and safeguards must be put in place to prevent the Trojan being subverted to include additional functionality.

What does the R2D2 Trojan beyond snooping on Skype conversations?
In addition to recording Skype conversations, it can eavesdrop on the likes of the MSN Messenger and Yahoo Messenger chat clients, and record keystrokes in browsers such as Firefox, Opera, Internet Explorer and SeaMonkey.

Backdoor trojan code

Furthermore, the Trojan can take capture the contents of users' screens, download updates and communicate with a remote website.

Which website does the Trojan communicate with?
The Trojan appears to connect to an IP address, 83.236.140.90, which appears to be based in Düsseldorf or Neuss.

Where is the LKA Nordrhein-Westfalen based?
Düsseldorf.

What more do we know about the LKA using spyware Trojans?
In early 2008, WikiLeaks leaked a confidential memo between the LKA and a software firm called DigiTask:

Read the report from WikiLeaks (in English), or view the German-language PDF.

The details leaked by WikiLeaks appear to match the behaviour of the R2D2 Trojan horse discovered by the Chaos Computer Club.

Of course, it is possible that DigiTask did not write the malware - but the functionality does match.

DigiTask has given presentations in the past where it has shown off its surveillance software for monitoring Skype conversations:

DigiTask talk

Can you prove that the R2D2 Trojan horse was written for and used by the LKA?
It's not really possible to *prove* who authored the malware, unless the German authorities confirm their involvement. However, it's beginning to look as though it's more likely that they were involved than not.

How would computers become infected by the R2D2 Trojan?
The malware targets Windows computers. Typically you might receive an email containing an attached file, or a link to the web which would then infect the computer.

Does Sophos detect the R2D2 Trojan?
Yes. Sophos products detect it as Troj/BckR2D2-A.

If you don't use Sophos products, contact your anti-virus vendor to see if they have added protection.

Shouldn't you guys work with the law enforcement agencies and deliberately not detect their malware?
We detect all the malware that we know about - regardless of who its author may be. So, SophosLabs adds protection against attacks on our customers' computers regardless of whether they may be state-sponsored or not.

If you think about it - there is no sensible alternative. What's to stop a cybercriminal commandeering a law enforcement Trojan and using it against an innocent party?

Our customers' protection comes first. If the authorities want us to not detect their malware, the onus is on them to try to write something that we can't detect, not for us to cripple our software.

Hat tip: Thanks to SophosLabs malware researcher Dirk Kollberg for his assistance.

, , , , , , , , , ,

You might like

11 Responses to German 'Government' R2D2 Trojan FAQ

  1. If you don't use Sophos products, check out with VirusTotal to see which products have added protection:

    Oct. 9, 16/43: http://www.virustotal.com/file-scan/report.html?i...

    Oct. 10, 25/43: http://www.virustotal.com/file-scan/report.html?i... (among others, Microsoft too is now aware of it)

  2. x^2 · 1087 days ago

    The Trojan has been used by the LKA Bayern (Bavaria), as can be read in this article:

    "Surveillance Trojan comes from Bavaria
    The Surveillance program analyzed by the CCC has been used by the Bavarian LKA" http://www.zeit.de/digital/datenschutz/2011-10/cc...

    It is likely to have been used by other LKAs too.

    An attorney of an affected person, who had been spied on by the Bavarian police in 2009, and what was later been declared illegal by a court, has confirmed that this was the software being used for it.

    This, after all, makes the explosiveness of the scandal. The investigative authorities have knowingly disregarded the highest German court, that had ruled that those kind of uber-spying on everything a person does with its computer (i. e. browsing, typing etc.) is unconstitutional.

  3. Psy-Ko · 1087 days ago

    Wow, a government spying on their citizens, imagine that

    • Thomas · 1086 days ago

      That's exactly what our government criticized on Iran, Egypt and others.

      Welcome to Germany – it's still the old game (Gods may do what cattle may not).

    • Lol! Yeah who would have thought!

  4. abc · 1087 days ago

    Here's a DigiTask Corporate Presentation about their Remote Forensic Spyware: http://cryptome.org/0005/michaelthomas.pdf

  5. A Fefe Reader · 1087 days ago

    Niedersachens uses it officially: http://www.ndr.de/regional/niedersachsen/bundestr...

    Brandenburg too: http://www.morgenpost.de/newsticker/dpa_nt/regiol...

    Baden- Wuerttemberg used it and stops it now: http://www.badische-zeitung.de/nachrichten/deutsc...

    Bayer used it too: http://www.stmi.bayern.de/presse/archiv/2011/385....

  6. trismos · 1087 days ago

    at least Canada is trying to make it legal by passing Big Brother Laws....

  7. LennartF · 1087 days ago

    The thing is that such a trojan would be legal under certain circumstances under German law. However the trojan used here

    a) does offer features which would NOT be allowed (for example tampering with data, etc., could be used to plant fake evidence)
    b) is a risk of security, because of it's shitty design which allows non-law enforcing people to abuse it.

    That's not to say that I like them being able to spy on citizenzs (or anyone) like that. It's just another one of those things forced upon us which we can't do much about.

  8. hhh · 1086 days ago

    And I thought it was only those nasty commies that spied on their citizens,not those upright capitalists who constantly preach freedom...

  9. Alex · 1086 days ago

    LKA Nordrhein-Westfalen is also based in Neuss.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.