…this isn’t lawful interception, and it’s not surprising that the AV industry has seen no reason to avoid detecting it…
Mikko Hyponen, who has been tracking the R2D2 thing assiduously, observes with some surprise that he hasn't seen a single article on "R2D2" that would try to defend the need for lawful interception.
Actually, I haven't either, but I think there are at least two separate issues here. It seems fairly clear from the reports I've seen since our earlier blog that German agencies probably have used it, apparently illegally in the light of the extended functionality. In that respect, this isn't lawful interception, and it's not surprising that the AV industry has seen no reason to avoid detecting it, and even gone out of its way to add detection.
It's true, though, that in cases where the public have seen some possible desirable outcome of an illegal/borderline legal action (consider the BBC's actions in renting a botnet, for example) we see a lot of commentary suggesting that "the end justifies the means."
It may also be in some cases that where a security company is closely associated with governmental security (or otherwise subject to governmental pressure) it will be more receptive to giving special treatment to policeware. However, turning a blind eye to all instances of some sort of standardized government Trojan is probably going to be a compromise too far for most AV researchers.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow