NEWS FROM THE LAB - Tuesday, October 11, 2011

More Info on German State Backdoor: Case R2D2 Posted by Sean @ 12:56 GMT

Last weekend, the German based Chaos Computer Club (CCC) published details on a backdoor trojan they claimed was being used by German authorities, in violation of German law.

And now, several German states have admitted to using Backdoor:W32/R2D2.A (a.k.a. "0zapftis"), though they say the backdoor falls within what's allowed.

In one case, the trojan was installed on a suspect's laptop while he was passing through customs & immigration at the Munich International airport.

Here's some additional details about the backdoor itself.

The CCC's report included analysis of the backdoor's DLL and a kernel driver. The CCC apparently did not have access to the installer. (Which would have been locally installed on the suspect's computer.)

We do have the installer.

Here's a screenshot from our malware containment system:


The installer file is called "scuinst.exe". It was first seen on December 9th, 2010.

What's the importance of the filename scuinst.exe? It's an abbreviation for Skype Capture Unit Installer. Skype Capture Unit is the name of the commercial trojan developed by a company called DigiTask from the city of Haiger, Germany. For more information on the background of DigiTask and Skype Capture Unit, see these documents leaked by WikiLeaks. And here's a document showing The German Customs Investigation Bureau purchasing surveillance services from DigiTask worth 2075256 euro. That's two million euro.


Our system automation didn't like scuinst.exe and automatically set it to be blocked on customers' computers. The "heuristic" category indicates that our automation flagged the file based on rules that our analysts have created.

Have any F-Secure customers been exposed to R2D2?

No. Our statistics show no customer encounters with this backdoor (in-the-wild, before CCC's announcement).

How did F-Secure get a copy of the installer then?

We (and numerous other antivirus vendors) received the file from virustotal.com.

In fact, the installer had been submitted to VirusTotal multiple times:


So lots of antivirus vendors have the installer?

Yes. VirusTotal is a service that analyzes suspicious files with multiple antivirus engines and provides a list of detection names. VirusTotal is a cooperative effort and it shares samples with everyone that participates.

If there's no detection, does that mean there's no protection?

No. Many antivirus products (such as F-Secure Internet Security) have additional layers of protection beyond traditional signature detections. Just because a threat doesn't have a signature "detection" doesn't mean that it won't be "blocked" by another layer of defense.

In this case, R2D2's installer would have been blocked by our "cloud" layer even before traditional signature database detections had been published.

So if VirusTotal shares with everybody, wouldn't somebody trying to keep a backdoor secret be stupid to upload it there?

Yes. That's why professional malware authors use black market multi-scanners.

Then why would R2D2's authors give it away?

Perhaps that was the only way they knew of to "test" their backdoor's installer.

Or perhaps they didn't care that they'd be decreasing the lifespan and effectiveness of their backdoor.

Or perhaps it just demonstrates the German government's (and the company hired to write backdoor) lack of understanding as to what the antivirus industry does, and how we frequently work together to protect our customers.

We're all in this together.