German States Used Malware to Spy on Their Citizens

It sounds like the plot of a mid-tier thriller, but it actually happened: German governments have been deploying state-sponsored malware to spy on its citizens... for two years. And the trojan they used is serious business.

It's not clear how many people the German states of Bavaria, Baden-Württemberg, Brandenburg, Schleswig-Holstein, Lower Saxony, Brandenburg, and North Rhine-Westphalia spied on through their computers, but the fact that such a wide swath of the country was subject to the mere possibility of governmental cyber-surveillance is disturbing enough. The trojan in question, nicknamed R2D2, doesn't mess around:

Once installed, the trojan's operators could load and execute programs on the host computer. If that wasn't distressing enough, the program was also capable of capturing voice data, keystrokes, and imagery from infected computers. Analysis of the trojan showed that it could also activate a computer's webcam or microphone, turning the infected computer into an all-purpose spying machine.

Details are still somewhat hazy, but the more you hear the worse it gets: the company that made R2D2 says they also sold the program to Austria, the Netherlands, and Switzerland, and the Chaos Computer Club—which first identified the malware as state-sponsored—believes it could easily be hijacked by third-party users.

Even scarier? The program may well actually be legal under German legislation, passed in 2008, that allows for digital wiretaps of an unspecified nature.

In the movie version, this ends with recriminations and systems brought down and barrel-chested heroes and maybe a triumphant flugelhorn blast. In real life? Still unfolding. But I'm guessing it's more a series of inquiries, a few vague empty-suited apologies. And an earned paranoia that leaves a mighty stain. [Slashdot via Geekosystem]