Researchers at security vendor Kaspersky have discovered a version of the German R2D2 “Federal Trojan” that has a slightly longer list of targets and also supports the more secure 64-bit version of Windows.
The version discovered by the Chaos Computer Club earlier this month could only be used to capture communications on 32-bit Windows target machines from Skype.
Security vendors pointed out at the time that it could also capture information from MSN Messenger, Yahoo Messenger and take screen shots of pages within several widely-used browsers, including Firefox and Internet Explorer, but not Chrome.
The 64-bit version was also designed to capture data from popular messaging service ICQ and a host of other VoIP products, such as Low-Rate Voip, paltalk, SimpPro and sipgate X-lite, according to Kaspersky Lab.
In all it infects 15 applications.
Despite its expanded list of target applications, the newly discovered rootkit only provided “a rudimentary privilege escalation interface” compared with the earlier version.
The newer trojan also contains a bogus 1024 bit RSA certificate that would be used by the operating system to validate the applications.
“It is well known that 64 bit kernel modules must carry a valid digital signature that can be checked by the operating system, or loading the driver fails,” said Kaspersky’s Tillman Werner.
A user must intentionally install the certificate in order for the rootkit’s driver to install, however the alert that would pop up to user highlights that the CA Root certificate should not be trusted.
That certificated was issued by what appears to be a fictitious certificate authority, Goose Cert, on April 11, 2010.