German ‘Government’ R2D2 Trojan FAQ

What has happened?
A Trojan horse has been discovered that is capable of spying on Skype internet calls, monitoring the online activity of infected computers, logging keystrokes, and updating its functionality via the net.

The Trojan, which most anti-virus vendors are calling “R2D2”, but is also referred to as “0zapftis” or “Bundestrojaner”, was announced by the famous Chaos Computer Club (CCC).

Why is the Trojan called R2D2?
The name comes from a string of characters embedded inside the Trojan’s code:

C3PO-r2d2-POE

Where did the CCC get the malware from?
German lawyer Patrick Schladt has told the media that the Trojan horse was found on the hard disk of one of his client’s computers.

The malware was allegedly installed onto the computer as it passed through customs control at Munich Airport.

Schaldt was defending his client against charges that fall under German law related to pharmaceuticals.

When the suspect and his legal team examined the digital evidence against them they found evidence that suggested a Trojan had been present – and the hard disk was shared with the CCC with the permission of Schladt’s client.

The CCC were able to use forensic software to restore deleted files from the hard drive, uncovering the R2D2 Trojan horse.

Why is the Trojan so newsworthy?
The CCC implies that the malware was created for, and is being used by, German law enforcement authorities such as the BKA and LKA. Furthermore, Schaldt claims that the Customs department was also involved in the planting of the malware.

Who are the BKA and LKA?
The BKA (Bundeskriminalamt) is Germany’s federal crime investigation agency. In addition, there are 16 LKAs (Landeskriminalamt) which act as state investigation bureaus.

The BKA has said that the files uncovered by the CCC, are not related to them. That’s not to say, of course, that the BKA hasn’t used spyware in other cases – just that they are officially denying a connection to the malware in this case.

Steffen Seibert, a spokesperson for the federal government, used Twitter to deny BKA involvement:

https://twitter.com/#!/RegSprecher/status/123056930888491008

The LKA divisions, meanwhile, have not commented.

Police using spyware sounds controversial
It is. You can imagine why privacy advocates get the heebie-jeebies at the thought of police investigators being able to spy on computer activity without the user’s knowledge.

Is it legal for the German authorities to spy on citizen’s computers with a Trojan horse?
Under German law the police are allowed to use spyware to snoop on suspected criminals – but only under strict guidelines. For instance, authorities have to seek legal approval for an equivalent to a phone wiretap to record Skype conversations before they are encrypted.

Germany’s Federal Constitutional Court has put in place strict legal guidelines which are supposed to limit what investigators’ spying software can do. For instance, although recording Skype conversations is permissible, the spyware must not alter any code on the suspect’s computer and safeguards must be put in place to prevent the Trojan being subverted to include additional functionality.

What does the R2D2 Trojan beyond snooping on Skype conversations?
In addition to recording Skype conversations, it can eavesdrop on the likes of the MSN Messenger and Yahoo Messenger chat clients, and record keystrokes in browsers such as Firefox, Opera, Internet Explorer and SeaMonkey.

Furthermore, the Trojan can take capture the contents of users’ screens, download updates and communicate with a remote website.

Which website does the Trojan communicate with?
The Trojan appears to connect to an IP address, 83.236.140.90, which appears to be based in Düsseldorf or Neuss.

Where is the LKA Nordrhein-Westfalen based?
Düsseldorf.

What more do we know about the LKA using spyware Trojans?
In early 2008, WikiLeaks leaked a confidential memo between the LKA and a software firm called DigiTask:

Read the report from WikiLeaks (in English), or view the German-language PDF.

The details leaked by WikiLeaks appear to match the behaviour of the R2D2 Trojan horse discovered by the Chaos Computer Club.

Of course, it is possible that DigiTask did not write the malware – but the functionality does match.

DigiTask has given presentations in the past where it has shown off its surveillance software for monitoring Skype conversations:

Can you prove that the R2D2 Trojan horse was written for and used by the LKA?
It’s not really possible to *prove* who authored the malware, unless the German authorities confirm their involvement. However, it’s beginning to look as though it’s more likely that they were involved than not.

How would computers become infected by the R2D2 Trojan?
The malware targets Windows computers. Typically you might receive an email containing an attached file, or a link to the web which would then infect the computer.

Does Sophos detect the R2D2 Trojan?
Yes. Sophos products detect it as Troj/BckR2D2-A.

If you don’t use Sophos products, contact your anti-virus vendor to see if they have added protection.

Shouldn’t you guys work with the law enforcement agencies and deliberately not detect their malware?
We detect all the malware that we know about – regardless of who its author may be. So, SophosLabs adds protection against attacks on our customers’ computers regardless of whether they may be state-sponsored or not.

If you think about it – there is no sensible alternative. What’s to stop a cybercriminal commandeering a law enforcement Trojan and using it against an innocent party?

Our customers’ protection comes first. If the authorities want us to not detect their malware, the onus is on them to try to write something that we can’t detect, not for us to cripple our software.

Hat tip: Thanks to SophosLabs malware researcher Dirk Kollberg for his assistance.