Cisco Blogs
Share
tweet

Cisco Releases IPS Signature to Detect Alleged German Government Trojan

- October 19, 2011 - 0 Comments

Earlier today we released IPS Signatures 39866-0 and 39866-1 as part of the S603 update to our Cisco Services for IPS customers. These signatures detect or block network traffic associated with the “R2D2 trojan” allegedly used by German authorities to surveil individuals of interest. Originally discovered and announced by the Chaos Computer Club in Germany, this software contains functionality to install software, monitor and remotely control any computer it is installed upon.

This is not the first time Cisco Security Intelligence Operations has reported on this software. We released a public Malware Alert on 10/13 and discussed it in our weekly Cyber Risk Report. The following caption is from the Cyber Risk Report entry:

IntelliShield Analysis: Aside from the legal questions on lawful intercept and privacy protections, the possibly greater risk associated with this incident is the poor properties of the trojan code used. The researchers reported that the trojan does use encryption of the data, but it uses a common and fixed encryption key. The trojan also reportedly has no authentication controls. The use of this poorly coded trojan by German authorities could open the monitored system to additional attacks and exploits. Criminals may be able to use the government-installed trojan to gain access to the system, download additional malicious software, and perform criminal activity, arguably enabled by the authorities’ installation of the trojan.

It is with the worldwide footprint of Cisco IPS installations and the above perspective in mind that we decided to publish this signature.

Tags:
Leave a comment

We'd love to hear from you! To earn points and badges for participating in the conversation, join Cisco Social Rewards. Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed.

All comments in this blog are held for moderation. Your comment will not display until it has been approved

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

Share
tweet