German Surveillance Trojan Spies On Fifteen Apps

itwbennett writes "Researchers from Kaspersky Lab have discovered that the R2D2 surveillance Trojan, which is used by German law enforcement to intercept Internet phone calls, is capable of monitoring traffic from popular browsers and instant messaging applications. 'Amongst the new things we found in there are two rather interesting ones: Firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows,' said Tillmann Werner, a security researcher with Kaspersky in Germany. 'Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.'"

Yet another reason...

[Anonymous Coward]

Not to run Windows.

Nathan

PS.. image word "CONCUR"

Re:

[ackthpt]

Not to run Windows.

Or to allow someone to install "updates" to your computer who goes by the name S. Tazi or Gus Tappo.

Re:Yet another reason...

[jamiesan]

Some guy named Lou Ftwaffa wanted me to install some plugins on my flight simulator.

Re:Yet another reason...

[treeves]

A lady named Krystal Nacht insisted that I upgrade my shared libraries and clean up my registry, but when I did it, I found that my Windows was broken.

Re:

[iceaxe]

*has a stroke from Godwin overdose*

Apps?

[xavdeman]

Or applications?

Re:

[Anonymous Coward]

"App" is a shortening of "application". They're not specifically for mobile phones though idiots will say that's the case.

Re:

[sexconker]

Apps are what you get at Chili's. I recommend the Texas Cheese Fries.
Applications are uses, or forms you fill out for shit.
Programs are what you hand out at a theater.
Software is software.

Re:

[treeves]

Sometimes a church has an apps. Oh wait, that's an apse.

Re:

[TheRaven64]

"App" just refers to an especially crappy application, usually running on a phone or set-top box, with minimal user configurability.

I'm pretty sure 'app' has just been short for 'application' for the last 20 years or so. It isn't specific to mobile apps.

GPG?

[Anonymous Coward]

How good of a code audit does GPG undergo? IIRC, GPG id largely funded by the German government.

Re:

[muckracer]

> How good of a code audit does GPG undergo? IIRC, GPG id
> largely funded by the German government.

As good as you'd like to make your audit:

ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.18.tar.bz2 [gnupg.org]

I want to move to Germany...

[Oswald McWeany]

Imagine being able to legally work on producing the software to do this. Not just legally- but with the backing of the government. ... no, I do not condone it... ... but it would be fascinating to work on. :)

Re:

[WormholeFiend]

Vee haf vays of monitoring yur messages!

Re:

[Moheeheeko]

the Gestapo has new ways of making you talk, one by one they add email addresses of your loved ones to the email containing your browser history.

Re:I want to move to Germany...

[ackthpt]

Vee haf vays of monitoring yur messages!

In Soviet Germany ... wait, what?!?

Re:

[TangoMargarine]

East Germany [wikipedia.org]

Re:

[fierce]

Shaka! The walls fell?

Re:I want to move to Germany...

[ackthpt]

Imagine being able to legally work on producing the software to do this. Not just legally- but with the backing of the government. ... no, I do not condone it... ... but it would be fascinating to work on. :)

Imagine a world where a government employs such devious means...

Then imagine a world where the government kicks down your door because your detected their worm and quarantined it - which makes you a person of interest.

Re:

[zAPPzAPP]

They use some more hands on methods to get it installed than your ordinary worm.
Like breaking into your house, or snatching a device for a "security check" (at which point you are to give them all passwords of course).

Re:

[couchslug]

"Then imagine a world where the government kicks down your door because your detected their worm and quarantined it - which makes you a person of interest."

Then imagine that country's track record over the first forty-five years of the last century, plus the track record (yet to be fully revealed) of the Eastern half of that country, and don't forget how many players are either still alive or lived long enough to have direct contact including training with current law enforcement.

Sleep tight.

Re:

[heson]

NSA does not need to snoop in the leaf node, they have the network (and the cloud). If I was NSA, I would also build a tight partnership with google, in fact, many of googles features looks like spinoffs of what I imagine NSA is doing.

Re:

[zAPPzAPP]

You will have to apply for a job at that one company they hand all those shady contracts to. You know, the one the minister of interior is involved with.
Good news though: from what the CCC told us, they are really in need of some capable hackers.

Re:

[GameboyRMH]

If they know it exists then it's not very secret is it? Most antivirus apps have open virus definition files. Chances are there is no whitelist for these, and in fact I would expect any AV tool that does heuristic scanning to pick it up.

They damn well better pick it up if they're going to pick up every cracked game executable in existence >_<

Re:

[zAPPzAPP]

Anti Virus are good at picking up malware that spread a lot.
But these trojans are supposed to be used in very limited cases, so there is little chance of any AV aiming to find them specifically (up until now that is).
Heuristcs are supposed to handle such cases, but you can test your malware against those heuristics until you are good to go and if they don't know of you, they can't change heuristics to catch you.

Re:

[AHuxley]

The FBI had http://en.wikipedia.org/wiki/Magic_Lantern_(software) [wikipedia.org] reported about in ~2001 and the news provided some insight into AV vendor issues.

Re:

[godel_56]

Anti Virus are good at picking up malware that spread a lot. But these trojans are supposed to be used in very limited cases, so there is little chance of any AV aiming to find them specifically (up until now that is). Heuristics are supposed to handle such cases, but you can test your malware against those heuristics until you are good to go and if they don't know of you, they can't change heuristics to catch you.

RTFA.

Kaspersky stated that their AV had already detected this heuristically as a variation of the R2D2 Trojan and blocked it. They suggest installing a password in your AV to prevent anyone adding any malware to its exclusions list, as the installers had physical access to the computer to install it.

Re:

[Frenzied Apathy]

n/t

Sorry, this is completely off-topic, but doesn't typing "n/t" (by which I'm assuming you mean "no text") in your post make the reason for typing it a moot point? Kind of self-contradictory?

Just a question...

Re:

[jpapon]

While it is contradictory, why not go with ironic, oxymoronic, or perhaps paradoxical?

Law enforcement reports...

[justdiver]

nothing interesting other than suspiciously high traffic to David Hasselhoff's website.

In Corporate US, it's for Legal Documentation !

[cbelt3]

Such' 'spyware' is rife in the Corporate world, but it's called "Document retention" and "monitoring for legal cases". Corporate smart phones, computers, etc. are all equipped with methods to record everything we do. Just because some shyster could possibly want to use it as an axe to such money from our company.

You *CAN* get a job in industry writing this kind of code. Seriously. It's out there.

Top Notch Support

[Sponge Bath]

"...capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows"

I wish all software and hardware vendors were that current.

R2D2?

[asylum_street_blues]

Wait 'til Lucasfilm sues the Germans for copyright infringement. Even Google had to put a little "used with permission of Lucasfilm Ltd." notice on everything using "Droid".

Re:R2D2?

[Spy Handler]

but then the Germans can sue Lucas for infringing on their trademark, Stormtrooper

Re:

[ogdenk]

And the empire is obviously a derivative work from copyrighted Nazi documents and patented Nazi methodology and procedures. I would love to see Lucas just absolutely ass-raped in court. George is a douchenozzle.

That fact that more people in the past haven't told Lucas to go get f**ked and stand their ground is why things are as ridiculous as they are. When you can copyright object shapes and terms such as "Droid" and win in court, all hope is lost. It's gotten to the point where it's so insane, I just g

Cool

[EvilBudMan]

Where can I download this app?

Re:

[ista]

The original press release from chaos computer club at http://www.ccc.de/de/updates/2011/staatstrojaner [www.ccc.de]

points to

http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz [www.ccc.de]

Feel free to do your own analysis :-)

However, AV software now does have at lease one more symptom to watch out for possible malware: the trojan included a couple of .DLLs, who didn't export any kind of function.

Re:

[EvilBudMan]

Cool and Thx, It's just something else to look out for. Privacy musta died at least 10 years ago.

German Surveillance: "No Linux support plans"

[Shompol]

In an interview the Sekret German Surveillance rep said: "Ve dont haf planz to releze a Linukz verson of SpyMaster 2000".
He cited multiple problems, including lack of support for MS Trojan API's on non-Windows platforms. While there is [not] an emulator, called Bier, it it not powerful enough to support full Trojan functionality suit.

Many Germans complained that this is the last reason that keeps them from switching to Linux. One of the interviewers complained: "They are using our Steuergeldern, there should be Chancengleichheit for all Trojans, not just Microsoft!"

Re:

[AHuxley]

If you have wireless, think of a fed with a laptop in the street - that will get into most OS X, Linux people of interest enjoying modern ethernet free computing.
If your a Mac or Linux setup is wired, the feds might chat with your isp and go direct down your isp network next time you connect.
Windows is well understood from a security admin ~ protective tools view. Its wide open and easy to slip something in on most versions.
Some new, unknown, different, exotic outgoing Mac/Linux software firewall/log m

Re:

[ista]

Legal representatives of the trojan-authoring company "DigiTask" actually stated to german press that "basically DigiTask were able to supply software for other operating systems as well - if the contract tells them to do so."
So your attempt to be funny does point in a completely wrong direction: those guys who wrote this "legal interception" piece of spyware are clearly "dangerous" to non-Windows platforms as well.

On a sidenote, for at least 30 years or so german students in school classes after elementary

Re:

[Shompol]

I am sorry you took offense, but the joke was not aimed at Germans at all. The target was Windows and Netflix, although I don't name them directly. In fact, the title was ripped off from an article about Netflix :)

I am not a security expert, but highly doubt this Trojan could be created for Linux. Which distribution would it target? How would it gain access to root to install the Trojan? I am sure there are loopholes, and suppose they exploited one; the very moment someone finds it, that loophole is getti

Re:

[ista]

No offense taken - I do see the whole trojan surveillance issue as being a very important issue for multiple reasons.

For example, many people are having their laughs on the low level of technical expertise being used in this trojan. A few ones are also laughing about how these trojans have been installed (e.g. in one case, a customs officer at an airport wanted to do some extensive checks on one suspect's notebook; the suspect handed them the notebook, the officer left for a few minutes into another room an

Re:

[AHuxley]

Independent contractor Schultz: I installed nothing, I logged nothing, I know nothing!

Missing App Names?

[Em Adespoton]

Interesting to see that pidgin.exe and chrome.exe aren't in the list....

Funny that...

[phooka.de]

Slashdot used to be my primary news aggregator. Well, it's stories like this that push me away. Not the story itself, mind you, I was quite interested in the comments to it. No, the fact that all there was was "funny" jokes about Germans and their bad English. If I want that, I can watch fawlty towers on youtube, it's way more funny (http://www.youtube.com/watch?v=IngEMj4krpA [youtube.com]).

Bye (for now?).