More Details Emerging about R2D2 Backdoor Trojan


« Microsoft Security Essentials (Mistakenly) Labels Google Chrome a Virus | Main | USPS & Royal Mail Package Delivery Emails New Feature: Trojan Malware »

10/19/2011



More Details Emerging about R2D2 Backdoor Trojan

Kevin R. Smith
Co-Editor


First reported by the Chaos Computer Club (CCC), which claims to be the largest European Hacker club, this malware, they claim, is used by German police forces, and
...can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs.
Is it legal? It appears not, despite being state sponsored.

And, no matter your opinion of remote PC monitoring and true spy software, there's something very troubling about this trojan according to CCC,
Significant design and implementation flaws make all of the functionality available to anyone on the internet. [Editor's Note: Emphasis mine.]
Their analysis isn't just hot air. Further in their report, they go on to say,
The analysis also revealed serious security holes that the trojan is tearing into infected systems.

"The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected.

"Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data.

"It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel.
These are serious charges being leveled, so what does the antivirus software community's analysis reveal?

Both Kaspersky and F-Secure have already done their own analysis. Here's what they each have to say:

F-Secure

In their "News from the Lab" blog on the R2D2 Backdoor Trojan, their report adds,
And now, several German states have admitted to using Backdoor:W32/R2D2.A (a.k.a. "0zapftis"), though they say the backdoor falls within what's allowed.

Kaspersky

The Kaspersky blog details their own analysis which uncovered some other interesting details, including:
...there are six components in total – each with a different purpose – all of which have been analyzed by us.

"Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows.

"Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report.

"The number of applications infected by the various components is 15 in total.
So what's the point of this trojan? Good question.

The various reports all say it's for monitoring communication from a suspect's computer when they're using several types of software:
  1. VOIP software (like Skype)
  2. web browsers
  3. chat software
Here's the complete list uncovered by Kaspersky antivirus in their analysis:
Software Monitored by R2D2 Backdoor Trojan
Program Purpose
explorer.exe Internet Explorer web browser
firefox.exe Mozilla Firefox web browser
icqlite.exe Chat software
lowratevoip.exe VOIP software
msnmsgr.exe Chat software
opera.exe Opera web browser
paltalk.exe Video chat software
simplite-icq-aim.exe Chat software
simpro.exe Chat software
sipgatexlite.exe VOIP software
skype.exe VOIP software
skypepm.exe VOIP software
voipbuster.exe VOIP software
x-lite.exe VOIP software
yahoomessenger.exe Chat software


So now, the question is are the antivirus software companies detecting the trojan?

Yes. Kaspersky and F-Secure alike say their software's heuristics (i.e. realtime protection) were capable of detecting the trojan even before they became aware of it and added specific threat definitions to their software.

F-secure says, The 'heuristic' category indicates that our automation flagged the file based on rules that our analysts have created. And Kaspersky says, All components are detected by Kaspersky as variants of the R2D2 trojan/rootkit. The dropper was previously heuristically detected and blocked by us as an invasive program.

So, the bottom line, if you're running good antivirus software with realtime protection enabled, this trojan is unlikely to be a threat.

And, if you're not, why not?

Comments

You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.