R2D2 – Forget the jargon, it’s a wiretap
A short time ago in a galaxy very close by, the German Police and their R2D2 Trojan gave us a simple reminder of what modern malware is all about. It's wiretapping.
Technical buzzwords usually leave me more puzzled than enlightened. How many of these terms can you identify: backdoor Trojan with mfc42ul.dll, winsys32.sys key logger, Speex codec, full registry access, CJPEG, or acrd~tmp~.exe for a hidden executed application.
Did I lose you? Just think wiretapping in the digital age.
Recently, the German Police had their R2D2 outed by the Chaos Computer Club. It seems that after the Police loaded their R2D2 Trojan onto a suspect’s computer, the defenders of law and order could do the following:
While the technical features are confusing to the non-geek, R2D2 is just a high-tech wiretap with the cool addition of a Blue Screen of Death (BSOD) trigger.
There are only two exceptional aspects to the R2D2 malware:
But, the real lesson is this: bad guys use a similar bag of tricks – and they are trying to do this on your computer. Their goals are to make money, and they do this by stealing private account data. The technical specs change often.
Did I say sloppy police work? Yes indeed. While the Germans may have paid Top Euro for R2D2, they could have gotten more for their money according to Milos Schrotter, analyst at the AVAST Virus Lab:
So just remember, there is always room for improvement. And, when you are on your computer, you are not as alone as you might think.
PS: The Trojan is called R2D2 because of the "C3PO-r2d2-POE" string inside the binary file.
Technical update and ongoing analysis of the APT security incident
How Avast uses big data and machine learning to protect you