The famous Chaos Computer Club (CCC) has announced the discovery of a backdoor Trojan horse capable of spying on online activity and recording Skype internet calls which, it says, is used by the German police force.
The malware – which has been variously dubbed “0zapftis”, “Bundestrojaner” or “R2D2” – is likely to kick up a political storm, if the allegations are true.
For some years, German courts have allowed the police to deploy a Trojan known colloquially as “Bundestrojaner” (“State Trojan”) to record Skype conversations, if they have legal permission for a wiretap.
But the CCC’s claim is controversial, as the Trojan they have uncovered has more snooping capabilities than that. For instance, it includes functionality to download updates from the internet, to run code remotely and even to allow remote access to the computer – something specifically in violation of Germany’s laws.
Sophos’s analysis of the malware confirms that it has the following functionality:
* The Trojan can eavesdrop on several communication applications – including Skype, MSN Messenger and Yahoo Messenger.
* The Trojan can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey.
* The Trojan can take JPEG screenshots of what appears on users’ screens and record Skype audio calls.
* The Trojan attempts to communicate with a remote website.
A CCC spokesperson expressed the group’s concern at the discovery:
"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice - or even desired. Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."
Was the Trojan horse really written by the German authorities?
We have no way of knowing if the Trojan was written by the German state – and so far, the German authorities aren’t confirming any involvement.
The comments in the Trojan’s binary code could just as easily be planted by someone mischievously wanting the Trojan to be misidentified as the infamous the Bundestrojaner.
What we can say is that the phrase “0zapftis” has raised some eyebrows amongst the German speakers at SophosLabs. It’s a play on a Bavarian phrase “The barrel is open”, said by the mayor of Munich when he opens the first barrel of beer at the Oktoberfest.
But there certainly have been claims of German state-sponsored cyber-spying in the past. For instance, in 2008, there were claims that the BND – Germany’s foreign intelligence service – deployed spyware to monitor the Ministry of Commerce and Industry in Afghanistan.
In many ways, I’m reminded of the kerfuffle which occurred almost ten years ago when there were concerns that the FBI would ask anti-virus companies to deliberately not detect spyware that they had written – dubbed “Magic Lantern”.
Sophos’s position now is the same as it was back then. We detect all the spyware that we know about – regardless of who its author may be. So, SophosLabs adds protection against attacks on our customers’ computers regardless of whether they may be state-sponsored or not.
If you think about it – we have no other option. Because what’s to stop a bad guy taking commandeering the spying code and using it against an innocent party? Our customers’ protection comes first. If the authorities want us to not detect their malware, the onus is on them to try to write something that we can’t detect, not for us to cripple our software.
So, Sophos detects the malware as Troj/BckR2D2-A. As our friends from F-Secure explain, the cute “R2D2” name comes from a string embedded inside the malware’s code.
Further reading: German ‘Government’ R2D2 Trojan FAQ
5 comments on “‘Government’ backdoor R2D2 Trojan discovered by Chaos Computer Club”
As someone else has pointed out, the string C3PO-r2d2-POE is found inside the DLL. I took a cursory look at the strings and I see the string "23CCC23". "23" = the German movie about Karl Koch, who was associated with the CCC, then "CCC", then "23" again?
CONNECT %s:%d HTTP/1.0
the CCC changed some strings in the file to protect its sources, see http://ccc.de/de/updates/2011/addendum-staatstroj… (in german):
4C383h -> unsigned char case_identifier = "23CCC23"
– ASCII-Zeichenkette mit eindeutigem Aktenzeichen. Modifiziert zum Quellenschutz
(ASCII-string with unique file number. Canged to protect our source)
Here's the complete release from CCC, in german: http://www.ccc.de/system/uploads/76/original/staa…
The Trojan was written by digitask, a company owned by 'Deloitte Touche Tohmatsu Limited'.
Please post a tut on finding malware on comps. I'm sure more governments, if they haven't already, will start doing things like this.