Earlier today we released IPS Signatures 39866-0 and 39866-1 as part of the S603 update to our Cisco Services for IPS customers. These signatures detect or block network traffic associated with the “R2D2 trojan” allegedly used by German authorities to surveil individuals of interest. Originally discovered and announced by the Chaos Computer Club in Germany, this software contains functionality to install software, monitor and remotely control any computer it is installed upon.
This is not the first time Cisco Security Intelligence Operations has reported on this software. We released a public Malware Alert on 10/13 and discussed it in our weekly Cyber Risk Report. The following caption is from the Cyber Risk Report entry:
IntelliShield Analysis: Aside from the legal questions on lawful intercept and privacy protections, the possibly greater risk associated with this incident is the poor properties of the trojan code used. The researchers reported that the trojan does use encryption of the data, but it uses a common and fixed encryption key. The trojan also reportedly has no authentication controls. The use of this poorly coded trojan by German authorities could open the monitored system to additional attacks and exploits. Criminals may be able to use the government-installed trojan to gain access to the system, download additional malicious software, and perform criminal activity, arguably enabled by the authorities’ installation of the trojan.
It is with the worldwide footprint of Cisco IPS installations and the above perspective in mind that we decided to publish this signature.