The Latest in IT Security

Backdoor Snoops on Skype, MSN, and Yahoo! Messenger

11
Oct
2011

We recently came across reports about a hacker group that was able to detect a backdoor which was found capable of monitoring online activities and recording calls when using Skype. However, apart from its routines, it garnered media attention because of its claims that the discovered backdoor may be used by German Law Enforcement.

The malware, which we detect as BKDR_R2D2.A is known as “R2D2″ based on the strings on its malware code:

Based on our analysis, this malware is capable of the following functionalities:

  • Listen to chat conversations for applications such as Skype, Yahoo! Messenger, MSN Messenger and SipGate x-lite.
  • Record audio calls when using Skype
  • Monitor web browsing activities with browsers SeaMonkey, Navigator, Opera, Internet Explorer and Mozilla Firefox.
  • Take screenshots on the affected system.

Below are a list of programs it monitors and injects itself into.

Click for larger view
This backdoor also receives commands from a remote site and is capable of installing component files, retrieving system information, downloading, uploading, and executing programs, and uninstalling itself. It also has the ability to communicate with a remote IP address to receive commands from a remote user. This allows total control on the user’s system.

The malware code doesn’t show any information about its connection to any government. However, we’ve encountered reports saying that the Bavarian Minister of Interior Affairs Joachim Herrmann (CSU) already confirmed that the malware was created by the Bavarian police.

Regardless of its creator, however, R2D2 still remains to be an information-stealing tool, and we find it of utmost importance that users are protected from having their privacy broken into. Especially with this release of information to the public, it is highly likely that we will find this tool on the hands of cybercriminals, to be used for more sinister intent. With this, Trend Micro detects R2D2 as BKDR_R2D2.A and its component file as RTKT_R2D2.A.

Leave a reply


Categories

WEDNESDAY, DECEMBER 13, 2017

Featured

Archives

Latest Comments

Social Networks