April 23, 2014

Is the German Government Using Malware to Lawfully Spy on its Citizens?

(LiveHacking.Com) - The largest European hackers club, the Chaos Computer Club (CCC), has published details of a malware program that is lawfully used by the German police force to intercept and record Skype conversations, capture screenshots and grant back door access to the infected PC.

Although the German lawmakers have outlawed the state sponsored use of malware to manipulate German citizen’s PCs, the German government does allow something known as “source wiretapping” (Quellen-TKÜ) to monitor internet telephony. It seems that this malware known as Bundestrojaner (Federal Trojan horse) is used for such wiretaps.

The malware has now been independently verified by Sophos who have confirmed that the malware has the following functionality:

  • The Trojan can eavesdrop on several communication applications – including Skype, MSN Messenger and Yahoo Messenger.
  • The Trojan can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey.
  • The Trojan can take JPEG screenshots of what appears on users’ screens and record Skype audio calls.
  • The Trojan attempts to communicate with a remote website.
Furthermore is seems that the malware exceeds the remit allowed under Quellen-TKÜ:

The CCC analysis reveals functionality in the Bundestrojaner go much further than to just observe and intercept internet based telecommunication, and thus violates the terms set by the constitutional court. The trojan can, for example, receive uploads of arbitrary programs from the Internet and execute them remotely. This means, an “upgrade path” from Quellen-TKÜ to the full Bundestrojaner’s functionality is built-in right from the start. Activation of the computer’s hardware like microphone or camera can be used for room surveillance.

As well as the political, privacy and constitutional problems with Bundestrojaner, it also transpires that the malware has significant design and implementation flaws making all of the functionality available to anyone on the internet.

The government malware can, unchecked by a judge, load extensions by remote control, to use the trojan for other functions, including but not limited to eavesdropping. This complete control over the infected PC – owing to the poor craftsmanship that went into this trojan –  is open not just to the agency that put it there, but to everyone. It could even be used to upload falsified “evidence” against the PC’s owner, or to delete files, which puts the whole rationale for this method of investigation into question.

There remains however questions over the authorship of the malware. Was it really written and deployed by the German police? So far all the CCC can prove is that “it has been found in the wild and submitted to the CCC anonymously.”