Threat Research

R2D2 – Forget the jargon, it’s a wiretap

Avast Security Blogger, 28 November 2011

R2D2 – Forget the jargon, it’s a wiretap

A short time ago in a galaxy very close by, the German Police and their R2D2 Trojan gave us a simple reminder of what modern malware is all about. It's wiretapping.

Technical buzzwords usually leave me more puzzled than enlightened. How many of these terms can you identify: backdoor Trojan with mfc42ul.dll, winsys32.sys key logger, Speex codec, full registry access, CJPEG, or acrd~tmp~.exe for a hidden executed application.

Did I lose you? Just think wiretapping in the digital age.

Recently, the German Police had their R2D2 outed by the Chaos Computer Club. It seems that after the Police loaded their R2D2 Trojan onto a suspect’s computer, the defenders of law and order could do the following:

  • Listen in on voice and messaging applications (Skype, MSN Messenger, Yahoo Messenger, ICQ, PalTalk..)
  • Take notes by logging keystrokes in browsers (Firefox, Opera, Internet Explorer, SeaMonkey..)
  • Get pictures (JPEG screenshots of users' screens and video calls)
  • Go through the records with full file system and registry access
  • Fine-tune surveillance by secretly downloading, installing, and executing other applications
  • Turn on the microphone and start recording

While the technical features are confusing to the non-geek, R2D2 is just a high-tech wiretap with the cool addition of a Blue Screen of Death (BSOD) trigger.

There are only two exceptional aspects to the R2D2 malware:

  • It is supposedly legal (a hot debate topic in Germany)
  • The German government paid two million Euro for it (rather pricy)

But, the real lesson is this: bad guys use a similar bag of tricks – and they are trying to do this on your computer. Their goals are to make money, and they do this by stealing private account data. The technical specs change often.

Did I say sloppy police work? Yes indeed. While the Germans may have paid Top Euro for R2D2, they could have gotten more for their money according to Milos Schrotter, analyst at the AVAST Virus Lab:

  • Data encrypted in AES (ECB) with a fixed key across all versions - not so good.
  • No authentication built in, so it's easy to spoof.
  • Data sent to a command-and-control server in the U.S., which is almost certainly against German law.
  • Code permitting the controller to install additional software onto the target machine is not authenticated, so it would be easy to fool the Trojan into installing anything
  • Application code structure is very simple without any type of self-protection against a reverse or hacking attack.

So just remember, there is always room for improvement. And, when you are on your computer, you are not as alone as you might think.

PS: The Trojan is called R2D2 because of the "C3PO-r2d2-POE" string inside the binary file.