“The largest European hacker club, ‘Chaos Computer Club’ (CCC), has reverse-engineered and analyzed a ‘lawful interception’ malware program used by German police forces,” the CCC wrote in a post on its Web site today. “The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the Internet.”
The group made its discovery while doing some recent consulting for Patrick Schladt, a German lawyer defending a client against charges of illegal export of pharmaceuticals. Schladt gave the CCC his client’s laptop to examine and the hackers used forensic software to restore the Trojan files, which had been deleted to cover the tracks of the program, the lawyer said in an interview with CNET.
Schladt alleges that the Trojan was installed on his client’s computer by customs officials at the request of Bavarian state police when his client was returning to Germany after a trip in 2009. After his client was charged and prosecutors provided as evidence screenshots taken of his client’s Web browser, Schladt then contacted the CCC, he said.
While German authorities can snoop on suspected criminals, they need court permission to do so and any spyware for monitoring voice over IP calls used by authorities cannot alter code on a suspect’s computer and additional functionality cannot be added to it.
Schladt said the screenshots show that the program used to monitor his client went “way too far for German logging” laws. So he went to a higher court with his complaint, and that judge agreed, he said. “The most important thing is that every screenshot that was made and every file out of that Trojan will not be in the case” or allowed as evidence, he said. “That is poisoned stuff.”
The malware–dubbed the “State Trojan” or “R2D2” for a string of characters embedded inside the code–is capable of monitoring Skype, Yahoo Messenger, and MSN Messenger communications, as well as logging keystrokes in Firefox, Internet Explorer, and other browsers; taking screen captures; and of being updated, according to the CCC.
The State Trojan violates German law because it can receive uploads of programs from the Internet and execute them remotely, the CCC said.
“This means, an ‘upgrade path’ from (lawful spyware) to the full State Trojan’s functionality is built-in right from the start. Activation of the computer’s hardware like microphone or camera can be used for room surveillance,” the CCC post says. “The government malware can, unchecked by a judge, load extensions by remote control, to use the Trojan for other functions, including but not limited to eavesdropping.”
The malware could be used to plant evidence on the target’s computer and delete files, therefore completely obstructing justice, but it also has “serious security holes” in it that open the computer up to attack by others and put the law enforcement agency that is controlling the malware at risk, the CCC said.
“The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the Trojan are even completely unencrypted,” the post says. “Neither the commands to the Trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies’ IT infrastructure could be attacked through this channel.”
The CCC said it has informed the German Ministry of the Interior about its findings. “They have had enough time to activate the existing self destruct function of the trojan,” the group said.
At a news conference today, German federal government spokesman Steffen Seibert said officials are investigating the matter. “We are taking (the allegations) very seriously,” he said, according to a report on the Monsters and Critics Web site. “We will need to check all systems thoroughly.”
A confidential memo released by WikiLeaks in early 2008 showed communications between German state law enforcement and a German firm, DigiTask, that makes software that can be used for monitoring Skype communications.
Seibert said the software in question was 3 years old and had not been used by federal officials, according to the Monsters and Critics report.
DigiTask lawyer Winfried Seibert said the company had developed programs for authorities in Germany, according to an IDG News Service report.
Graham Cluley of Sophos wrote in a blog post that it is not really possible to prove who authored the malware, which targets Windows computers. He suspects that even if the federal officials in Germany weren’t involved in the malware, officials in one of the German states were. “It’s pretty likely that this is something that was done under the auspices of German authorities,” he said in a phone interview with CNET today