Snowden Revelations Confirmed - Babar Spyware Records all Data

Share Article

G DATA experts analyze malware documented by the Canadian intelligence service

CSM IT Network

Babar is a highly developed spyware program that could only have been manufactured by very well-trained developers

G DATA SecurityLabs has been investigating a spyware sample that records and transfers keystrokes, clipboard data, monitor data and audio conversations, thus confirming the Snowden revelations concerning a French national spyware strain, documented by the Canadian intelligence service CSEC (Communication Security Establishment Canada). French newspaper Le Monde first reported the existence of these documents almost exactly a year ago. G DATA experts have now published the technical details for the first time, following the analysis of the Babar malware, which was conducted in tandem with other international security research agencies. The analysts were unable to determine whether these malware control servers have been deliberately put into operation or have been compromised. In the experts' opinion, building such software requires substantial investments in personnel and infrastructure. The level of complexity of the malware suggests that it originated from a secret service. The Canadian intelligence service believes the French secret service is behind Babar. G DATA security solutions detect and block the malware.

"Babar is a highly developed spyware program that could only have been manufactured by very well-trained developers”, explains Eddy Willems, Security Evangelist at G DATA Software AG. "Babar is designed to work specifically in networks belonging to companies, authorities, organisations and research institutes and to steal sensitive data from them. As a result, audio conversations such as Skype chats, for example, can be recorded. Even a targeted attack on individuals seems conceivable. A mass distribution of such malware, however, is very unlikely”, says Willems.

Background to the CSEC documents

In March 2014, the French daily newspaper Le Monde ran a report on documents from the Canadian intelligence service CSEC (Communication Security Establishment Canada) dated 2011, which came to light during the Edward Snowden revelations. German news magazine Der Spiegel took up the matter in January 2015 and published further contents from these documents - Operation Snowglobe.

What is Babar?

Babar is a Remote Administration Tool (RAT), the main function of which is to spy on data. Following the analysis of the EvilBunny malware in December 2014, According to the Canadian intelligence service, Babar was also the internal name of a national secret service operation called Snowglobe. This makes Babar the second malware strain to have been identified that is connected to the Snowglobe spyware campaign. The name "Babar" comes from a French series of children's books whose hero is an elephant.

Because of their similarities, G DATA security experts are convinced that the two strains originate from the same developers.

Detailed technical information can be found here:

The news article in Le Monde can be found here:

Article in the Vice Channel Motherboard:

Information on the CSEC Google+ Page can be found here:

About G DATA
IT security was invented in Germany: G DATA Software AG is the antivirus pioneer. It was more than 29 years ago that the company, founded in Bochum, developed the first program to combat computer viruses. These days, G DATA is one of the world's leading providers of IT security solutions.

For more information about the company and G DATA security solutions, see

For sales inquiries in North America please contact Contronex, Inc.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Thorsten Urbanski
Follow >
Follow us on
Visit website