German government accused of spying on citizens with state-sponsored Trojan

German government accused of spying on citizens with state-sponsored Trojan

Summary: A well-established group of German hackers has accused the German government of releasing a backdoor Trojan into the wild. Security firm F-Secure has confirmed that the program includes a keylogger and code that can take screenshots and record audio.

SHARE:

A well-established group of German hackers, the Chaos Computer Club, has accused the German government of releasing a backdoor Trojan into the wild. According to Mikko Hypponen of F-Secure, the announcement was made public on the group's website in the form of a 20-page PDF (in German).

The accompanying English-language post claims the group reverse-engineered and analyzed the program, which it calls "a 'lawful interception' malware program used by German police forces".

It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.

[...]

The trojan can, for example, receive uploads of arbitrary programs from the Internet and execute them remotely. This means, an "upgrade path" from Quellen-TKÜ to the full Bundestrojaner's functionality is built-in right from the start. Activation of the computer's hardware like microphone or camera can be used for room surveillance.

According to the CCC, Quellen-TKÜ means "'source wiretapping' or lawful interception at the source" and Bundestrojaner means "federal trojan" and is "the colloquial German term for the original government malware concept."

The group includes a screen shot purporting to show the Trojan in action.

According to the report, the CCC wrote its own remote control program that wrested control of the Trojan, which consists of a Windows DLL and a kernel driver. That allowed the group to analyze the program's behavior and determine that it goes well beyond the ability to "observe and intercept internet based telecommunication" (in other words, wiretapping Internet-based telephony), which is allowed by German courts.

Here's a partial list of what the CCC analysis uncovered:

The trojan can ... receive uploads of arbitrary programs from the Internet and execute them remotely.

Activation of the computer's hardware like microphone or camera can be used for room surveillance.

[T]he design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.

[With an additional module] it can be used to remotely control infected PCs over the internet [and] watch screenshots of the web browser on the infected PC – including private notices, emails or texts in web based cloud services.

In its own analysis, F-Secure confirmed the workings of the program:

The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.

The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.

In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 and 207.158.22.134.

F-Secure sidestepped the thorny question of where the Trojan came from, saying, "We do not know who created this backdoor and what it was used for. ... We have no reason to suspect CCC's findings, but we can't confirm that this trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself."

The company further added, "We have never before analysed a sample that has been suspected to be governmental backdoor. We have also never been asked by any government to avoid detecting their backdoors."

This isn't the first time a government has been accused of using software to clandestinely spy on its citizens. The recent takeover of digital certificates issued by the Dutch firm DigiNotar was attributed by some sources to the Iranian government, which then reportedly used the forged certificates to snoop on its citizens' communications via Google Mail.

Similarly, the Chinese government was blamed for Operation Aurora, a 2010 attack that broke into servers at Google and as many as 30 other large corporations.

Over the years, Microsoft has been accused of working with the U.S. National Security Agency to build backdoors into Windows. Those accusations have been mostly discredited. (See this 2008 report and an earlier, overblown dustup over a cryptographic key dating back more than a decade.)

If the CCC analysis turns out to be accurate, this will be a first, and a significant black eye for a government that has largely been in the forefront of safeguarding personal privacy of its citizens.

The German government has not yet responded.

Topics: Government US, Government

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

55 comments
Log in or register to join the discussion
  • RE: German government accused of spying on citizens with state-sponsored Trojan

    The existence of a trojan isn't a secret. It was discussed publicly in germany and there's even a ruling from the highest german court (Bundesverfassungsgericht) on constraints for law enforcement while using it. Basically this is the modern wire tapping.

    The scandal, discovered by CCC, is that the trojan is capable of much more than it is allowed, basically it can do everything what code allows. In Addition the security measures are implemented amateurish, e.g. no encryption for remote commands or same keys used in every instance of the trojan.

    And the FAZ (http://www.faz.net/ - Germany's NYTimes) is making this its top story in its sunday edition. So its in main media ...
    zeader
    • RE: German government accused of spying on citizens with state-sponsored Trojan

      @zeader
      Interesting link, but it would be handy if there were a good English version of the paper. Google Translate does kind of a choppy job...and I'm 45 years from my Reading Knowledge of Scientific German course.
      Bill4
      • RE: German government accused of spying on citizens with state-sponsored Trojan

        @Bill4 Have you tried this: http://www.ccc.de/en/updates/2011/staatstrojaner
        mss712
  • Let me guess, itâ??s winblows only, right?!

    Yeah, I read ???Windows DLL??? and ???Windows backdoor???...
    Mikael_z
    • RE: German government accused of spying on citizens with state-sponsored Trojan

      @Mikael_z Yeah, wouldn't make sense build a trojan for operating systems that market share is almost null, they may be stupids but not children.
      Bafoo
      • RE: German government accused of spying on citizens with state-sponsored Trojan

        @Bafoo LOL - Touche' and very good and accurate.
        ItsTheBottomLine
      • Alternatively...

        @Bafoo
        Anyone using a non-Windows OS is immune to this snooping attempt. And that's a Good Thing... ;-)
        Zogg
      • RE: German government accused of spying on citizens with state-sponsored Trojan

        @Bafoo
        Does not make that much sense. Normally it would, if it was a criminal organisation that wanted to make money on as much people as possible.
        But this is made by a government to spy on "terrorist activities". Tell me, in which universe can a criminal NOT buy a mac?
        belli_bettens@...
    • I imagine you did not think that comment through.

      @Mikael_z
      Maybe they should make one for the TI-99/4A and Commodore 64 while they are at it, as you can imagine the amount of information you could retrieve that way.

      :|
      Tim Cook
      • RE: German government accused of spying on citizens with state-sponsored Trojan

        @Mister Spock
        +1
        :)
        William Farrell
      • RE: German government accused of spying on citizens with state-sponsored Trojan

        @Mister Spock LOL +1
        ItsTheBottomLine
      • That's illogical

        @Spock Impersonator<br>The TI-99/4A and Commodore 64 are ancient and obsolete <i>hardware</i> platforms. Why are you equating them with contemporary Operating Systems?
        Zogg
    • RE: German government accused of spying on citizens with state-sponsored Trojan

      @Mikael_z

      You do realize what a [b]trojan[/b] is, right? If you don't, please go and educate yourself.

      A clue for you: It doesn't rely on any OS vulnerabilities. Instead it relies on social engineering. It is much more effective if there are, say, 1.5 billion users of the OS it was written for. On the other hand it isn't very effective when targeting one of the loser OSes due to those OSes' low marketshare.

      http://en.wikipedia.org/wiki/Trojan_horse_(computing)
      Qbt
      • It doesn't rely on any OS vulnerabilities

        @Qbt

        Sure it does, if this were to work on Linux the user would first have to give the trojan executable permissions before it would even run, but on windows everything already has executable permissions, you have to be careful what you click on in windows.
        guzz46
      • You haven't used Windows lately, have you?

        @guzz46

        UAC. Standard user accounts. Registry and file system virtualization.

        Ever heard of those things?
        Ed Bott
      • RE: German government accused of spying on citizens with state-sponsored Trojan

        @Ed Bott

        Yes I have, http://www.zdnet.com/blog/security/windows-7s-default-uac-bypassed-by-8-out-of-10-malware-samples/4825
        Is that the UAC you are talking about? and why does windows create the default user as admin? and give everything executable permissions be default?
        To me that is a big vulnerability.
        guzz46
      • RE: It doesn't rely on any OS vulnerabilities

        @guzz46 wrote:<br>"if this were to work on Linux the user would first have to give the trojan executable permissions before it would even run<br><br>Experiment time. Open up a terminal window, type 'vi test', hit 'Enter' and type the following:<br><br>#!/bin/sh<br>pwd<br>echo ""<br>ls -al<br><br>followed by a Shift-ZZ to save and exit vi.<br><br>Now, in the terminal window, check the file permissions with 'ls -l test'. It's not marked as an executable file. And execute the file by typing 'sh ./test'.<br><br>This also shows why mounting a file system as 'noexec' offers very weak protection in Linux. Easy to get around.
        Rabid Howler Monkey
      • RE: German government accused of spying on citizens with state-sponsored Trojan

        @Rabid Howler Monkey

        Nice try Rabid Howler Monkey but pretty weak, I do know about sh, so what you are saying is that in Linux the user would have to download a file then open a terminal and type sh "name and location of file" and hit enter, as opposed to windows where all you have to do is click on something and it will execute.

        Thanks for pointing out some of the the security benefits of using Linux.
        guzz46
      • RE: German government accused of spying on citizens with state-sponsored Trojan

        @Qbt -

        Seconded, thanks for posting!
        HypnoToad72
      • RE: German government accused of spying on citizens with state-sponsored Tr

        @guzz46 wrote:<br>"I do know about sh<br><br>Then why, in your prior post, did you write "if this were to work on Linux the user would first have to give the trojan executable permissions before it would even run"? It's clearly a false statement. You're running in circles.<br><br>However, one could send an email with an attachment such as a zip file (e.g., merry_christmas.zip) to an unsuspecting user and request in the email body that they open the zip file and double-click on the file named 'merry_christmas.pl'. Which places a nasty in /var/tmp and a desktop file in $HOME/.config/autostart that starts the nasty on every login. You see, social engineering is OS independent.<br><br>The nasty dropped in /var/tmp does not have to be marked as an executable (although the *.pl file could certainly handle this). And the desktop file dropped in the autostart directory will have a line like so: 'Exec=sh /var/tmp/nasty'. There's no need for you to type it in.
        Rabid Howler Monkey