X
Government

German government accused of spying on citizens with state-sponsored Trojan

A well-established group of German hackers has accused the German government of releasing a backdoor Trojan into the wild. Security firm F-Secure has confirmed that the program includes a keylogger and code that can take screenshots and record audio.
Written by Ed Bott, Senior Contributing Editor

A well-established group of German hackers, the Chaos Computer Club, has accused the German government of releasing a backdoor Trojan into the wild. According to Mikko Hypponen of F-Secure, the announcement was made public on the group's website in the form of a 20-page PDF (in German).

The accompanying English-language post claims the group reverse-engineered and analyzed the program, which it calls "a 'lawful interception' malware program used by German police forces".

It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.

[...]

The trojan can, for example, receive uploads of arbitrary programs from the Internet and execute them remotely. This means, an "upgrade path" from Quellen-TKÜ to the full Bundestrojaner's functionality is built-in right from the start. Activation of the computer's hardware like microphone or camera can be used for room surveillance.

According to the CCC, Quellen-TKÜ means "'source wiretapping' or lawful interception at the source" and Bundestrojaner means "federal trojan" and is "the colloquial German term for the original government malware concept."

The group includes a screen shot purporting to show the Trojan in action.

According to the report, the CCC wrote its own remote control program that wrested control of the Trojan, which consists of a Windows DLL and a kernel driver. That allowed the group to analyze the program's behavior and determine that it goes well beyond the ability to "observe and intercept internet based telecommunication" (in other words, wiretapping Internet-based telephony), which is allowed by German courts.

Here's a partial list of what the CCC analysis uncovered:

The trojan can ... receive uploads of arbitrary programs from the Internet and execute them remotely.

Activation of the computer's hardware like microphone or camera can be used for room surveillance.

[T]he design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.

[With an additional module] it can be used to remotely control infected PCs over the internet [and] watch screenshots of the web browser on the infected PC – including private notices, emails or texts in web based cloud services.

In its own analysis, F-Secure confirmed the workings of the program:

The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.

The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.

In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 and 207.158.22.134.

F-Secure sidestepped the thorny question of where the Trojan came from, saying, "We do not know who created this backdoor and what it was used for. ... We have no reason to suspect CCC's findings, but we can't confirm that this trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself."

The company further added, "We have never before analysed a sample that has been suspected to be governmental backdoor. We have also never been asked by any government to avoid detecting their backdoors."

This isn't the first time a government has been accused of using software to clandestinely spy on its citizens. The recent takeover of digital certificates issued by the Dutch firm DigiNotar was attributed by some sources to the Iranian government, which then reportedly used the forged certificates to snoop on its citizens' communications via Google Mail.

Similarly, the Chinese government was blamed for Operation Aurora, a 2010 attack that broke into servers at Google and as many as 30 other large corporations.

Over the years, Microsoft has been accused of working with the U.S. National Security Agency to build backdoors into Windows. Those accusations have been mostly discredited. (See this 2008 report and an earlier, overblown dustup over a cryptographic key dating back more than a decade.)

If the CCC analysis turns out to be accurate, this will be a first, and a significant black eye for a government that has largely been in the forefront of safeguarding personal privacy of its citizens.

The German government has not yet responded.

Editorial standards