Can you trust your antivirus solution to protect you against governmental backdoors and "lawful interception" police Trojans?

Who can you trust to protect your systems from governmental snooping?

Any antivirus tool worth its salt should offer you comprehensive protection against malware created by bad guys who are out to do you harm. But what about protecting you against governmental backdoors or "lawful interception" police Trojans?

My blogging colleague Ed Bott reports that the Chaos Computer Club, a group of well-respected German hackers, have discovered in the wild what they claim is a backdoor Trojan created by the German government which is being used as 'a lawful interception malware program'.

The largest European hacker club, "Chaos Computer Club" (CCC), has reverse engineered and analyzed a "lawful interception" malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.

CCC analysis of the Trojan can be found here [PDF, German].

[UPDATE: As Bott points out, F-Secure doesn't speculate on the origin of the backdoor, but as pointed out by the German newspaper Frankfurter Allgemeine Zeitung (Frankfurt General Newspaper), the existence of this backdoor is known in Germany as it has been publicly discussed.]

Security firm F-Secure has analysed the Trojan and come to the following conclusions:

The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.

The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.

In addition, the backdoor can be remotely updated. Servers that it connects to include and

We do not know who created this backdoor and what it was used for.

We have no reason to suspect CCC's findings, but we can't confirm that this trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.

Pretty serious stuff. So who can you trust to protect you from 'government' malware? Well, I was impressed by F-Secure's statement on detecting governmental backdoors or "lawful interception" police Trojans:

In late 2001, F-Secure Corporation received various queries on our standpoint regarding the possibility of spying programs developed by various governments. Much of this discussion was generated by media coverage on rumored backdoor trojan known as "Magic Lantern", developed by FBI or NSA in USA. Discussion was increased as several US-based anti-virus vendors made comments implying they would on purpose leave a backdoor in their anti-virus products to allow such a spying program to work.

Thus, F-Secure Corporation would like to make known that we will not leave such backdoors to our F-Secure Anti-Virus products, regardless of the source of such tools. We have to draw a line with every sample we get regarding whether to detect it or not. This decision-making is influenced only by technical factors, and nothing else, but within the applicable laws and regulations, in our case meaning EU laws.

We will also be adding detection of any program we see that might be used for terrorist activity or to benefit organized crime. We would like to state this for the record, as we have received queries regarding whether we would have the guts to detect something obviously made by a known violent mafia or terrorist organization. Yes we would.

That's good to know!

F-Secure detects this new malware as Backdoor:W32/R2D2.A, the name R2D2 comes from a string inside the trojan: "C3PO-r2d2-POE". A string used internally by the Trojan to initiate data transmission.

Do you trust your antivirus solution to protect your systems from governmental snooping?

Show Comments