German hackers uncover 'lawful interception' malware

A Germany-based hacker club has claimed to discover a backdoor Trojan malware capable of online spying and recording Skype videoconferencing calls —and even possibly "planting" false evidence. The Chaos Computer Club (CCC) said the malware, which it branded as a "lawful interception" tool, is being used by the German police force. "(We have) reverse engineered and analyzed a 'lawful interception' malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs," it said, according to a Google translation of an article on its website. But it said some design and implementation flaws make all of its functionality available to anyone on the Internet. The CCC said that before the German constitutional court ("Bundesverfassungsgericht") forbade the use of malware to manipulate German citizen's PCs on February 27, 2008, the German government introduced a less conspicuous variant of the spy software: "Quellen-TKÜ" or "lawful wiretapping." Such a Quellen-TKÜ can only be used for wiretapping Internet telephony, and only through technical and legal means. But it said an analysis of the malware shows it can go much further than to just observe and intercept Internet-based telecommunication, "and thus violates the terms set by the constitutional court." "The trojan can, for example, receive uploads of arbitrary programs from the Internet and execute them remotely. This means ... activation of the computer's hardware like microphone or camera can be used for room surveillance," it said. Also, the CCC said the Trojan's developers "never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping Internet telephony, as set forth by the constitution court." On the contrary, it said the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer. "This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired," said a CCC speaker. "Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system," the speaker added. Capabilities of the police malware The CCC said the government malware, if unchecked by a judge, can:

• load extensions by remote control
• use the Trojan for other functions, including but not limited to eavesdropping.

"It could even be used to upload falsified 'evidence' against the PC's owner, or to delete files, which puts the whole rationale for this method of investigation into question," it said. CCC said it is also possible to watch screenshots of the web browser on the infected PC – including private notices, emails or texts in Web-based cloud services. On the other hand, computer security firm Sophos said other capabilities of the Trojan include:

• eavesdropping on communication applications including Skype, MSN Messenger and Yahoo Messenger.
• logging keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey.
• taking JPEG screenshots of what appears on users' screens and record Skype audio calls.
• attempting to communicate with a remote website.

Unstable implementation The CCC said the lack of authentication and protecton in the Trojan can allow unauthorized third parties assume control of the infected system. Worse, attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the Trojan, and upload fake data, it said. "It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel," the CCC said. "We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities. The security level this trojan leaves the infected systems in is comparable to it setting all passwords to '1234,'" a CCC speaker said. On the other hand, it said all data is redirected through a rented dedicated server in a data center in the United States. Thus, the control of this malware is only partially within the borders of its jurisdiction, and this could violate the fundamental principle of national sovereignty. "Considering the incompetent encryption and the missing digital signatures on the command channel, this poses an unacceptable and incalculable risk. It also poses the question how a citizen is supposed to get their right of legal redress in the case the wiretapping data get lost outside Germany, or the command channel is misused," it said. Authorities have been informed The CCC said it had informed the German ministry of the interior. "They have had enough time to activate the existing self-destruct function of the trojan," it said. The CCC demanded that the "clandestine infiltration" of IT systems by government agencies must stop. It also called on all hackers and people interested in technology to further analyze the malware, so that at least some benefit can be reaped from this embarrassing eavesdropping attempt. Antivirus detection Sophos said its products will detect the spyware, "regardless of whether they may be state-sponsored or not." "If you think about it - we have no other option. Because what's to stop a bad guy taking commandeering the spying code and using it against an innocent party? Our customers' protection comes first. If the authorities want us to not detect their malware, the onus is on them to try to write something that we can't detect, not for us to cripple our software," it said. — TJD, GMA News