[Malware Review] Backdoor.R2D2.A a.k.a "der Bundestrojanner"

Bundestrojaner, or the federal Trojan, has been extensively debated in the press for the past couple of days. It all started with an announcement over the weekend when Chaos Computer Club (CCC) said they found a backdoor Trojan allegedly used by the German government for “lawful interceptions”. Even though German spokespersons and ministers denied any involvement, the subject remains controversial.

Apart from the flaming context surrounding Backdoor.R2D2.A, this e-threat is in fact a highly interesting piece of code. From a technical viewpoint, it deserves a closer look.

Identified by Bitdefender as Backdoor.R2D2.A, this Trojan only targets Windows systems, ranging from 2000 to Vista. The dll file that it drops runs only if loaded by one of the following processes: Skype.exe, SkypePM.exe, explorer.exe, msnmsgr.exe, yahoomessenger.exe, x-lite.exe or sipgatexlite.exe. Notable here is the fact that Backdoor.R2D2 behaves differently according to the application loading it.

The Backdoor targets especially VoIP applications. It tracks and sends to the C&C server information regarding instant messenger discussions and conferences, answered or missed calls, written messages between two or more users, and oral conversations via Skype. So nothing remains a secret to this Trojan as it catalogs all: who the user speaks to, when and how long these conversations last, what messages the targeted person receives, what calls he takes or rejects.

Furthermore, it monitors user`s online activities keeping a close eye on popular Internet browsers such as Opera, Internet Explorer, Mozilla Firefox, Navigator, and Seamonkey. It also takes screenshots of the user's screen and sends them to a remote location which appears to be near Dusseldorf. And on top of it all, this spy master is capable of downloading and executing further malicious files.

Bitdefender released yesterday a new removal for controversial Backdoor.R2D2.A that can be downloaded free of charge from here. (32-bitor 64-bit).

This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender VirusAnalyst.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.