Federal Trojan's got a "Big Brother"

system · October 18, 2011, 5:18pm

Tillmann Werner Kaspersky Lab Expert Posted October 18, 15:15 GMT
About two weeks ago, the German Chaos Computer Club (CCC) has published an analysis report of a backdoor trojan that they claim had been used by German police during investigations in order to capture VoIP and IM communication on a suspect’s PC. Our friends over at F-Secure published a blog post last week where they wrote about another file that, according to them, seemed to be the dropper component of the trojan. They were kind enough to share the MD5 hash of the file, so we could pull it from our collection. Stefan and I took a closer look.

The dropper carries five other binaries in its resource table, so there are six components in total – each with a different purpose – all of which have been analyzed by us. Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows. Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.
Target Applications

Previous discussions of R2D2 mention Skype as a target application that is monitored by the trojan. The version analyzed by us indicates that Skype is targeted as well, but also all common web browsers, various instant messaging applications and voice-over-ip software, such as ICQ, MSN Messenger, Low-Rate Voip, paltalk, SimpPro, sipgate X-Lite, VoipBuster and Yahoo! Messenger. The list of process names is:
explorer.exe
firefox.exe
icqlite.exe
lowratevoip.exe
msnmsgr.exe
opera.exe
paltalk.exe
simplite-icq-aim.exe
simppro.exe
sipgatexlite.exe
skype.exe
skypepm.exe
voipbuster.exe
x-lite.exe
yahoomessenger.exe</blockquote>
https://www.securelist.com/en/blog/208193167/Federal_Trojan_s_got_a_Big_Brother

You can read some more about Backdoor.R2D2.A here

Backdoor.R2D2.A a.k.a “der Bundestrojaner”][Malware Review] Backdoor.R2D2.A a.k.a “der Bundestrojaner”

Bid Defender has a x32 and x64 removal tool available for Backdoor.R2D2.A. Never hurts to be super caution with stuff like this and use something in addition to avast! to check your computer just to make sure.

http://www.malwarecity.com/community/index.php?s=4c6187b94151981ea4a8e6865076d624&app=downloads&showcat=1

Pondus · October 18, 2011, 5:46pm

Link Nr#2 does not work…

Asyn · October 19, 2011, 6:21am

More related links…
http://www.h-online.com/security/news/item/CCC-cracks-government-trojan-1357755.html
http://www.ccc.de/en/updates/2011/staatstrojaner
http://www.h-online.com/security/news/item/Anti-virus-software-fails-to-deal-with-government-trojan-1360015.html

system · October 19, 2011, 3:18pm

Nesivos post:1:

Tillmann Werner Kaspersky Lab Expert Posted October 18, 15:15 GMT
About two weeks ago, the German Chaos Computer Club (CCC) has published an analysis report of a backdoor trojan that they claim had been used by German police during investigations in order to capture VoIP and IM communication on a suspect’s PC. Our friends over at F-Secure published a blog post last week where they wrote about another file that, according to them, seemed to be the dropper component of the trojan. They were kind enough to share the MD5 hash of the file, so we could pull it from our collection. Stefan and I took a closer look.

The dropper carries five other binaries in its resource table, so there are six components in total – each with a different purpose – all of which have been analyzed by us. Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows. Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.
Target Applications

Previous discussions of R2D2 mention Skype as a target application that is monitored by the trojan. The version analyzed by us indicates that Skype is targeted as well, but also all common web browsers, various instant messaging applications and voice-over-ip software, such as ICQ, MSN Messenger, Low-Rate Voip, paltalk, SimpPro, sipgate X-Lite, VoipBuster and Yahoo! Messenger. The list of process names is:
explorer.exe
firefox.exe
icqlite.exe
lowratevoip.exe
msnmsgr.exe
opera.exe
paltalk.exe
simplite-icq-aim.exe
simppro.exe
sipgatexlite.exe
skype.exe
skypepm.exe
voipbuster.exe
x-lite.exe
yahoomessenger.exe</blockquote>
https://www.securelist.com/en/blog/208193167/Federal_Trojan_s_got_a_Big_Brother

You can read some more about Backdoor.R2D2.A here

Backdoor.R2D2.A a.k.a “der Bundestrojaner”][Malware Review] Backdoor.R2D2.A a.k.a “der Bundestrojaner”

Bid Defender has a x32 and x64 removal tool available for Backdoor.R2D2.A. Never hurts to be super caution with stuff like this and use something in addition to avast! to check your computer just to make sure.

http://www.malwarecity.com/community/index.php?s=4c6187b94151981ea4a8e6865076d624&app=downloads&showcat=1

Avast detects this threat (10/10/2011 - 111010-2).

Win32:R2D2 [Trj], Win32:R2D2-B [Trj], Win32:R2D2-C [Trj], Win32:R2D2-E [Trj], Win32:R2D2-F [Trj],

Federal Trojan's got a "Big Brother"

Announcements