Possible Governmental Backdoor found ("case R2D2")

Possible Governmental Backdoor found ("case R2D2")

www.f-secure.com

The announcment was made public on ccc.de with a detailed 20-page analysis of the functionality of the malware. Download the report in PDF (in German)

The malware in question is a Windows backdoor consisting of a DLL and a kernel driver.

The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.

The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.

In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.1

(visit the link for the full news article)

I am beginning to wonder what other marvels will become known. How many more web snooping devices are in action now? Did any of us invite the government into our homes?

Disgruntled unemployed are not known to want to hold secrets. I suspect within the next year more revelations will come to light, and they won't need hackers to find them.

www.f-secure.com
(visit the link for the full news article)

Interesting. Not really surprising. I've always felt that your computer is an open book for governments and law enforcement. How else do they detect pedophiles?

From what I know F-Secure is a well-respected anti-malware company, and I don't doubt the report.

So...what exactly does this mean for Mozilla users in America?

Is the backdoor a windows thing for everybody or is this specific to these 2 servers?

We are expecting this to become a major news story. It's likely there will be an official response from the German government.

This should become a huge story indeed.

On a related note, it w as a German public radio station (SWR2) that broke a major news story regarding US FBI and Secret Service operating a major "carding" message forum by the name of Dark Market. Some of the US law enforcement broke international law by illegally tapping and taking over foreign servers in the process of running their sting operation.

I can only say "Thank you Germany" for exposing our government's incessant needs to spy on us. And dump Windows already

reply to post by Blackmarketeer


You can't dump windows/mac because it seems that someone gets involved with any "open source" software and screws it up. I was running Ubuntu, and loved it. But you can't get support for any version past 9.10. The machine i want Ubuntu on is needing something at least 2 versions older than that (due to poor graphics processing capability). Ubuntu, IMO, is the best bet. But they are making 2-3 full releases a year, and only supporting for maybe 2 years.

Firefox is doing the exact same thing. And any of the V4 or later are complete resource hogs (using 300-800k). What is up with that? Why does my FF need to use so much of my CPU?

I get the feeling that as soon as open source gets traction, it gets infiltrated and misdirected. I finally had to get XP reinstalled on the machine because it just wouldn't stay stable enough to do the things i wanted to do (run a household media server).

These are simply the "tests" that they perform with new software. Always under the guise of these types of events.

Not really anything new.
Michael Riconosciuto
Inslaw
Promis

I'm too lazy for links right now.

its not my fault you left your windows open said the thief in court

reply to post by FarmerGeneral


The story ends with:

It's likely there will be an official response from the German government.

So I guess we should be on the lookout for that. If anyone sees the official announcement, please post it (a link to it).

I like F-secure's policy on detecting government malware:

www.f-secure.com...

The name R2D2 comes from a string inside the trojan: "C3PO-r2d2-POE". This string is used internally by the trojan to initiate data transmission.

C3PO?
en.wikipedia.org...

R2D2?
en.wikipedia.org...

Whats with the "Star Wars" links? Sounds childish.

reply to post by K1771gnorance

I'm sure 99% of Star Wars fans don't need your wiki links to realize the significance of those designations.

Malware has at least two sources we know of:
-Childish pranks by script kiddies
-Sophisticated attacks by cybercriminals

Now this thread raises a third possibility of government malware. Maybe whoever wrote it wants people to think it was written by a script kiddie as part of the deception? Ir maybe the author was just a star wars fan? Some of those fans aren't kids anymore.

Windows uses this exe for a lot of activity "svchost.exe". When you open up your task mamager you will see a lot of them running, all performing a task. I use a firewall of NOD32, and put it on interactive mode. This "svchost.exe" want's to try and connect to he net a lot, and using strange and different IP adresses a lot. I always block it and never let ANYTHING from windows connect to the net. Not even Updates.

I have no clue to what this "svchost.exe" can do, but why it is used that often is beyond me, it's a good way to "hide in plain sight" i guess. Ending them in task manager, just results in them aurtomaticly restarting again.

Just wanted to share this.

reply to post by Required01


If you go to the Device Manager, Click View and Hidden Devices, and go expand the Network Adapters, you will see what is using a lot of those svchosts.exe

You can delete the ones you don't want and the svchosts.exe that is using it will disappear. Just be careful with what you delete. Better yet, just disable them to see if it effects something you use.

Originally posted by Required01
I use a firewall of NOD32

According to this link:

www.eset.com...

NOD32 is an antivirus, not a firewall.

They sell a separate product called ESET Smart Security 5, is that what you're talking about?

I'm still trying to find a decent firewall for XP64, but Comodo is the only halfway decent one I found, and it has tens of thousands of exceptions preconfigured which makes it like Swiss cheese. There doesn't seem to be a decent firewall for XP64, or if there is, I haven't found it.

After reading the F-secure policy on blocking government malware, I now wonder what the other security suppliers' policies are on that topic.

reply to post by Required01


Microsoft Windows uses several Services (constantly running background programs) that do all the tasks that people expect Windows to do. To make things easier to implement they turned all the Services into .dll files (which are basically files with code/functions in them). You can't directly run a .dll file, so you need a program to load/host them, and that is what svchost.exe does. SVC stands for Service, and HOST is quite obvious, it just hosts/loads/contains the Service's .dll(s).

To find out which services/dlls that a specific instance svchost.exe is hosting, you can right click on each svchost.exe in the Task Manager and click "Go To Service(s)".

Svchosts can host multiple services / dlls, but too many and it could become unstable and crash, so you usually find multiple instances of svchost.exe. For example, Windows firewall requires a few services to be constantly running for it to function, and all those services that deal with the firewall will be hosted by a single svchost.exe. Then, another svchost.exe will run all the services for your folder windows, and other user interface stuff, etc.

Those are not harmful at all.

I want to mention, a lot of unneeded Windows services are running by default, some of which average computer users never use. If you disable those services, this can decrease the amount of svchost.exe's are running on your computer at one time.

Originally posted by Arbitrageur

Originally posted by Required01
I use a firewall of NOD32

According to this link:

www.eset.com...

NOD32 is an antivirus, not a firewall.

They sell a separate product called ESET Smart Security 5, is that what you're talking about?

I'm still trying to find a decent firewall for XP64, but Comodo is the only halfway decent one I found, and it has tens of thousands of exceptions preconfigured which makes it like Swiss cheese. There doesn't seem to be a decent firewall for XP64, or if there is, I haven't found it.

After reading the F-secure policy on blocking government malware, I now wonder what the other security suppliers' policies are on that topic.

Yeah sorry it's called Smart Securty, i have both so they blend together in NOD32. My mistake tho, it's a great Antivirus and firewall for a low cost compared to Norton and sush, also not taking up a lot of resources on your pc!

Originally posted by K1771gnorance
reply to post by Required01

 

Microsoft Windows uses several Services (constantly running background programs) that do all the tasks that people expect Windows to do. To make things easier to implement they turned all the Services into .dll files (which are basically files with code/functions in them). You can't directly run a .dll file, so you need a program to load/host them, and that is what svchost.exe does. SVC stands for Service, and HOST is quite obvious, it just hosts/loads/contains the Service's .dll(s).

To find out which services/dlls that a specific instance svchost.exe is hosting, you can right click on each svchost.exe in the Task Manager and click "Go To Service(s)".

Svchosts can host multiple services / dlls, but too many and it could become unstable and crash, so you usually find multiple instances of svchost.exe. For example, Windows firewall requires a few services to be constantly running for it to function, and all those services that deal with the firewall will be hosted by a single svchost.exe. Then, another svchost.exe will run all the services for your folder windows, and other user interface stuff, etc.

Those are not harmful at all.

I want to mention, a lot of unneeded Windows services are running by default, some of which average computer users never use. If you disable those services, this can decrease the amount of svchost.exe's are running on your computer at one time.

edit on 10-10-2011 by K1771gnorance because: (no reason given)

yes this i know , i do light programming in C++ so i know the allround stuff, this is why i said that for a normal user it's dangerous, as there are so many svchosts running without directly showing what they run. Manilulating svchosts to run your custom dll is not that hard actually. That is why i say it's a potential hazzard, because it is an autorized exe running maybe an unknown dll file.

Yes services are running without even needing them, but does your mom, dad, uncle, ant know this? And how to terminate them so they don't run by default? We know because we searched and have experience in IT. For me i make a living in trouble shooting and support company networks, workspaces, pc's, etc. So i need to get the Microsoft exams and work with it daily.

There are so many things people don't know because they are normal users and simply use office, IE (or other brower) and play some games.

There's a warehouse in Reading Berkshire UK that stores all of the UK Emails, I have a friend who works there.

its official - nothing new in germany BUT from now on we know how it looks like...and how to defense it...


and regarding F-Secure:

This decision-making is influenced [...] within the applicable laws and regulations, in our case meaning EU laws.

nice1...according to german law, governemental tools have to be protected (means you have to help the police and not contrain them)...its written in the Telekommunikationsgesetz...& § 20k BKA-Law