But it gets even worse: anyone can connect to an infected computer and do whatever he wants, all you need is the IP. Scuttlebug is that the people at the CCC (whom the trojan had been leaked to) suspected that to be a smokescreen to hide the real trojan, since it's so patently stupid.
When this story broke, our Interiour Minister promptly flew to Afghanistan. But he is back now and has put his foot into his mouth already. Also, the Pirate Party is at 9% in federal polls. Just saying.
source: http://nakedsecurity.sophos.com/2011/10 ... rojan-faq/German 'Government' R2D2 Trojan FAQ
by Graham Cluley on October 10, 2011
What has happened?
A Trojan horse has been discovered that is capable of spying on Skype internet calls, monitoring the online activity of infected computers, logging keystrokes, and updating its functionality via the net.
The Trojan, which most anti-virus vendors are calling "R2D2", but is also referred to as "0zapftis" or "Bundestrojaner", was announced by the famous Chaos Computer Club (CCC).
Why is the Trojan called R2D2?
The name comes from a string of characters embedded inside the Trojan's code:
C3PO-r2d2-POE
Where did the CCC get the malware from?
German lawyer Patrick Schladt has told the media that the Trojan horse was found on the hard disk of one of his client's computers.
Munich airport customsThe malware was allegedly installed onto the computer as it passed through customs control at Munich Airport.
Schaldt was defending his client against charges that fall under German law related to pharmaceuticals.
When the suspect and his legal team examined the digital evidence against them they found evidence that suggested a Trojan had been present - and the hard disk was shared with the CCC with the permission of Schladt's client.
The CCC were able to use forensic software to restore deleted files from the hard drive, uncovering the R2D2 Trojan horse.
Why is the Trojan so newsworthy?
The CCC implies that the malware was created for, and is being used by, German law enforcement authorities such as the BKA and LKA. Furthermore, Schaldt claims that the Customs department was also involved in the planting of the malware.
Who are the BKA and LKA?
The BKA (Bundeskriminalamt) is Germany's federal crime investigation agency. In addition, there are 16 LKAs (Landeskriminalamt) which act as state investigation bureaus.
The BKA has said that the files uncovered by the CCC, are not related to them. That's not to say, of course, that the BKA hasn't used spyware in other cases - just that they are officially denying a connection to the malware in this case.
Steffen Seibert, a spokesperson for the federal government, used Twitter to deny BKA involvement:The LKA divisions, meanwhile, have not commented.@RegSprecherSteffen Seibert@RegSprecher
Steffen Seibert
Bundesinnenministerium: BKA hat den durch den CCC dargestellten #Trojaner nicht eingesetzt, es handelt sich nicht um sog. #Bundestrojaner
October 9, 2011 4:27 pm via Twitter for iPadReplyRetweetFavorite
Police using spyware sounds controversial
It is. You can imagine why privacy advocates get the heebie-jeebies at the thought of police investigators being able to spy on computer activity without the user's knowledge.
Is it legal for the German authorities to spy on citizen's computers with a Trojan horse?
Under German law the police are allowed to use spyware to snoop on suspected criminals - but only under strict guidelines. For instance, authorities have to seek legal approval for an equivalent to a phone wiretap to record Skype conversations before they are encrypted.
Germany's Federal Constitutional Court has put in place strict legal guidelines which are supposed to limit what investigators' spying software can do. For instance, although recording Skype conversations is permissible, the spyware must not alter any code on the suspect's computer and safeguards must be put in place to prevent the Trojan being subverted to include additional functionality.
What does the R2D2 Trojan beyond snooping on Skype conversations?
In addition to recording Skype conversations, it can eavesdrop on the likes of the MSN Messenger and Yahoo Messenger chat clients, and record keystrokes in browsers such as Firefox, Opera, Internet Explorer and SeaMonkey.
Furthermore, the Trojan can take capture the contents of users' screens, download updates and communicate with a remote website.
Which website does the Trojan communicate with?
The Trojan appears to connect to an IP address, 83.236.140.90, which appears to be based in Düsseldorf or Neuss.
Where is the LKA Nordrhein-Westfalen based?
Düsseldorf.
What more do we know about the LKA using spyware Trojans?
In early 2008, WikiLeaks leaked a confidential memo between the LKA and a software firm called DigiTask:
Read the report from WikiLeaks (in English), or view the German-language PDF.
The details leaked by WikiLeaks appear to match the behaviour of the R2D2 Trojan horse discovered by the Chaos Computer Club.
Of course, it is possible that DigiTask did not write the malware - but the functionality does match.
[...]
Can you prove that the R2D2 Trojan horse was written for and used by the LKA?
It's not really possible to *prove* who authored the malware, unless the German authorities confirm their involvement. However, it's beginning to look as though it's more likely that they were involved than not.
How would computers become infected by the R2D2 Trojan?
The malware targets Windows computers. Typically you might receive an email containing an attached file, or a link to the web which would then infect the computer.
Does Sophos detect the R2D2 Trojan?
Yes. Sophos products detect it as Troj/BckR2D2-A.
If you don't use Sophos products, contact your anti-virus vendor to see if they have added protection.
Shouldn't you guys work with the law enforcement agencies and deliberately not detect their malware?
We detect all the malware that we know about - regardless of who its author may be. So, SophosLabs adds protection against attacks on our customers' computers regardless of whether they may be state-sponsored or not.
If you think about it - there is no sensible alternative. What's to stop a cybercriminal commandeering a law enforcement Trojan and using it against an innocent party?
Our customers' protection comes first. If the authorities want us to not detect their malware, the onus is on them to try to write something that we can't detect, not for us to cripple our software.
(bolded text as in the source)
source: http://www.f-secure.com/weblog/archives/00002249.htmlPossible Governmental Backdoor Found ("Case R2D2") Posted by Mikko @ 20:42 GMT
Chaos Computer Club from Germany has tonight announced that they have located a backdoor trojan used by the German Government.
The announcement was made public on ccc.de with a detailed 20-page analysis of the functionality of the malware.
The malware in question is a Windows backdoor consisting of a DLL and a kernel driver.
The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.
The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.
In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 and 207.158.22.134.
We do not know who created this backdoor and what it was used for.
We have no reason to suspect CCC's findings, but we can't confirm that this trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.
Our generic policy on detecting governmental backdoors or "lawful interception" police trojans can be read here. [http://www.f-secure.com/virus-info/bdtp.html]
We have never before analyzed a sample that has been suspected to be governmental backdoor. We have also never been asked by any government to avoid detecting their backdoors.
Having said that, we detect this backdoor as Backdoor:W32/R2D2.A
The name R2D2 comes from a string inside the trojan: "C3PO-r2d2-POE". This string is used internally by the trojan to initiate data transmission.
We are expecting this to become a major news story. It's likely there will be an official response from the German government.
(emphasis mine)
