Bundestrojaner, or the federal Trojan, has been extensively debated in the press for the past couple of days. It all started with an announcementover the weekend when Chaos Computer Club (CCC) said they found a backdoor Trojan allegedly used by the German government for â€œlawful interceptionsâ€. Even though German spokespersons and ministers denied any involvement, the subject remains controversial.
Apart from the flaming context surrounding Backdoor.R2D2.A, this e-threat is in fact a highly interesting piece of code. From a technical viewpoint, it deserves a closer look.
Identified by Bitdefender as Backdoor.R2D2.A, this Trojan only targets Windows systems, ranging from 2000 to Vista. The dll file that it drops runs only if loaded by one of the following processes: Skype.exe, SkypePM.exe, explorer.exe, msnmsgr.exe, yahoomessenger.exe, x-lite.exe or sipgatexlite.exe. Notable here is the fact that Backdoor.R2D2 behaves differently according to the application loading it.
The Backdoor targets especially VoIP applications. It tracks and sends to the C&C server information regarding instant messenger discussions and conferences, answered or missed calls, written messages between two or more users, and oral conversations via Skype. So nothing remains a secret to this Trojan as it catalogs all: who the user speaks to, when and how long these conversations last, what messages the targeted person receives, what calls he takes or rejects.
Furthermore, it monitors userâ€™s online activities keeping a close eye on popular Internet browsers such as Opera, Internet Explorer, Mozilla Firefox, Navigator, and Seamonkey. It also takes screenshots of the userâ€™s screen and sends them to a remote location which appears to be near DÃ¼sseldorf. And on top of it all, this spy master is capable of downloading and executing further malicious files.
This article is based on the technical information provided courtesy of Doina Cosovan, BitDefender VirusAnalyst.
All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.