Official Malware from the German Police

The Chaos Computer Club has disassembled and analyzed the Trojan used by the German police for legal intercept. In its default mode, it takes regular screenshots of the active window and sends it to the police. It encrypts data in AES Electronic Codebook mode with—are you ready?—a fixed key across all versions. There’s no authentication built in, so it’s easy to spoof. It sends data to a command-and-control server in the U.S., which is almost certainly against German law. There’s code to allow the controller to install additional software onto the target machine, but that’s not authenticated either, so it would be easy to fool the Trojan into installing anything.

Detailed analysis in German. F-Secure has announced it will treat the Trojan as malware. I hope all the other anti-virus companies will do the same.

EDITED TO ADD (10/12): Another story. And some good information on the malware. Germany’s Justice Minister is calling for an investigation.

Tags: , , , , , , , , ,

Posted on October 13, 2011 at 6:03 AM40 Comments

Comments

bruce October 13, 2011 6:18 AM

Could that be the same Chaos Computer Club that had a role in Cliff Stoll’s book, ‘The Cuckoo’s Egg’?

Just asking
Bruce

hwilker October 13, 2011 6:35 AM

  1. Yes, it still is the same CCC: http://www.ccc.de/en/

  2. The main intent of the software was supposed to be the interception of VoIP telephony, especially Skype, before the voice stream is encrypted on the user’s machine. The screenshot functionality seems to have been added by the software developer, and used by the police (in at least one case in Bavaria) simply because it was there.

  3. Use of software such as this is arguably not legal in Germany. Some courts got around this by allowing use under laws meant for normal telephone taps. Screenshots and other uses definitely would not fall under this usage.

Ben October 13, 2011 6:53 AM

Ha!
1.) The most funny part is, it only runs on win32. It does not even on win64, Mac OS or any Un*x.

2.) The name “Staatstrojaner” (formal) or “Bundestrojaner” can be translated as “federal trojan”.

3.) There is almost no othere topic on radio these days. Here are some examples from the german state’s radio (please note: the text is not the script from the audio):
* http://wissen.dradio.de/spyware-staatstrojaner-kommt-aus-bayern.33.de.html?dram:article_id=12862
* http://wissen.dradio.de/spionagesoftware-ccc-auf-der-spur-des-trojaners.36.de.html?dram:article_id=12843 (CCC interview)
* http://wissen.dradio.de/spyware-gefaehrlicher-trojaner.33.de.html?dram:article_id=12841 (most informative)

Sebastian October 13, 2011 7:18 AM

The thing is: The German police plans to write custom trojans to infect certain computers. So they will be annoyed that this one has been identified now, but it won’t be a huge roadblock.
They actually estimate that each of those trojans will cost 250,000 Euro to develop, or something along that line. (Which would then supposedly allow them to infiltrate specific computers, as opposed to “normal” trojans that care about infiltrating as many computers as possible rather than specific ones.)

So if this one doesn’t support Mac or Linux – they’ll develop something if they see the need for it. At least that’s how they say this program is supposed to work.

Paeniteo October 13, 2011 7:22 AM

@Sebastian: “The German police plans to write custom trojans to infect certain computers. So they will be annoyed that this one has been identified now, but it won’t be a huge roadblock.”

I assume their claim that they would write custom tailored trojans is just as true as their claim that the trojan would be secure.

Natanael L October 13, 2011 8:29 AM

250,000 Euro? For each version?

Take screenshots – there’s tools for that. Remote control? There’s tools for that. Keylogging? There’s (non-malicious, even) tools for that. Recording audio from the mic and the speakers? There’s tools for that.

Somebody are out of touch with reality.

Tom October 13, 2011 8:53 AM

The Sophos-links seem a bit outdated. German news sites already found out that several federal governments have admitted using the trojan made by the company DigiTask. It has also been borrowed by state government institutions (customs, to be precise). Also, Sophos says “that the phrase “0zapftis” has raised some eyebrows amongst the German speakers at SophosLabs”. They obviously didn’t get that this play-on-words was introduced by the CCC and was not found within the actual malware.

John Young at cryptome seems to have gotten a powerpoint presentation advertising the malware: http://cryptome.org/0005/michaelthomas.pdf

Oh, and the thing about the “custom-tailored” versions: This doesn’t mean they want to be able to infect a specific computer. Instead it means they will sell different versions (e.g. also a version where illegal features are disabled or greyed out in the GUI) of their malware according to the needs of a particular governmental institution.

ste October 13, 2011 10:35 AM

The company who wrote (using their feet) the trojan – digitask – admits that they sold “similar products” also in Austria, Switzerland, Netherlands:
http://www.heise.de/tp/blogs/8/150615

Their website has also high security levels: http://digitask.de/administrator/ using out-of- support php…

For those who understand some german language fefe’s blog is a must-read (he’s member of the CCC).

It was used for crime’s like tax fraud doing cigarette businsess and other terroristic threats to society.

NobodySpecial October 13, 2011 10:50 AM

“It was used for crime’s like …. and other terroristic threats to society. ”

Yes that’s always whats claimed.
Like RIP (UK’s regulatory investigative powers act) it was needed to fight international terrorism and organised crime – ended up being used by city councils to track people sending kids to schools outside the area and not picking up after their dogs.

Johnston October 13, 2011 11:04 AM

Up until this story, I had thought Germany was one of the leading countries in terms of Internet freedom. Or to put it another way, one of the least bad.

NobodySpecial October 13, 2011 11:17 AM

@Johnston – depends on your definition of ‘bad’ !
If they believe that criminals are using Skype and they need to wiretap it.

They could simply ban Skype – that affects everyone in the country.

Pressure Skype to give them a backdoor – that affects every Skype user in the world, since every other govt will also want the backdoor.

Hack the computers of the individual they are targeting – in theory that’s the least invasive solution.

Of course in reality once you have done this then you will use the trojan to track their email, documents, web sites etc. And the definition of target will expand to everybody – but that’s true of all government and law enforcement.

Petréa Mitchell October 13, 2011 12:03 PM

Wouldn’t it be ironic if this turned out to be the keylogger infesting Creech AFB?

It’s not completely out of the question, actually, given the significant US military presence in Germany and the suspicions that the infection vector at Creech, at last report, was USB drives from other military bases…

NobodySpecial October 13, 2011 1:51 PM

@MikeB – good point.
We need a new word for instead of sneaking into a city inside a wooden horse you just barge in the front door with a horde of tanks!

Windows for the government to peek in October 13, 2011 2:21 PM

Funnily CCC came out with some info about a “bundestrojaner” years ago. Wonder if it was the same trojan or a different one?

Also there was a case in Singapore where some uni student had found a virus on her computer that was supposedly traced to the government.

So who knows what lurks inside peoples harddrives among the thousands of files that come with a standard “Windows” installation…

Now we know why it is called “Windows”.

MeMyselfandI October 13, 2011 3:00 PM

It sends data to a command-and-control server in the U.S.

So why does everyone think that its official malware from the German police?

Ex-Pat October 13, 2011 3:26 PM

It is the same “Bundestrojaner”, but this is finally one in which they can prove that the government installed it. Many German states have now admitted that they were using it, the latest incident being Monday of this week…

The CCC has a cute little foam horse on wheels painted in the German national colors that they drag around with them during demonstrations. Google “Bundestrojaner”, choose pictures, and take any of the Black/red/gold pictures.

The minister of justice is protesting to the state ministers of the interior, and she now wants to set up an official office to test government software (no, that won’t make any of it better. Big governmental software projects are a big joke in Germany – over budget, late, and seldom working to spec, if they work at all). Check out heise.de if you read German

Andrew October 13, 2011 4:37 PM

There is a lot of uncertainty about this story.

We don’t know that the state agencies have crafted the malware, device.

We know its alleged to have been leaked from a criminal investigation, but that is unconfirmed.

Its unlikely German authorities will make a statement on any of this.

We know world agencies conduct surveillance on crime and terror suspects, so there is no news here.

NobodySpecial October 13, 2011 4:57 PM

” Big governmental software projects are a big joke in Germany – over budget, late, and seldom working to spec, if they work at all”

One area of engineering where Germany can’t claim to be any better !

If this software had been supplied by the UK security services it would have cost 20Bn, be 10 years late and be finally abandoned by the new government.

Dirk Praet October 13, 2011 5:04 PM

@ Petréa Mitchell

“Wouldn’t it be ironic if this turned out to be the keylogger infesting Creech AFB?”

I already suggested that in the thread about the drone infection on this blog a couple of days ago. The really surprising element here is not so much that the German police actively use a piece of digital spyware, but the speed with which both authorities and the manufacturer (Digitask) have come clean about the entire thing. That would definitely not happen in countries like China, Russia or the USA. Just look at how HBGary Federal et al kept on denying any wrongdoing even when caught pants down and faced with overwhelming evidence revealed by their own email communications.

There’s little point in ranting against this sort of government practices. They’re all doing it, and I’m pretty sure similar stuff will pop up in the time to come. At best, it serves as positive proof of such to people still naive enough to think it’s only happening in other countries. Of more concern however is the use of fixed keys and the lack of authentication as pointed out by Bruce, making it actually vulnerable to exploitation by 3rd parties.

Either the good folks at Digitask were a bit too cocky assuming that their work would go by undetected, or it’s just a 1.0 version introduced as a proof of concept that meanwhile has been superceded by new and improved releases that haven’t been discovered in the wild just yet.

Congratulations to the CCC guys for disecting R2D2 and publishing their findings. Chances are that if this would have happened in China or the US, they would by now have had their homes invaded and their asses deported to a very dark and lonely place on charges of treason or something equally outrageous. Not to forget public crucifixion by state-owned media interviewing true patriots calling for their immediate execution.

Rash October 13, 2011 6:25 PM

“It encrypts data in AES Electronic Codebook mode”

Only the data is sends to the command and controll server. Not the commands it receives.

Peter E Retep October 13, 2011 10:33 PM

Wouldn’t it be interesting if the rogue German cyber agents
were the same ones with the invisible withdrawal program
which started in Argentina,
that collapsed world bank liquidity,
and was first discovered operating through German banks?
Leaving German banks dictating taxes to the rest of the EU?
Verrry interesting???

Lisa October 14, 2011 12:45 AM

Someone needs to charge them with cyber-terrorism.

After all, now that nearly any type of illegal action is deemed to be terrorism, even peer-to-peer media piracy, why not this?

I hope that the people that authorized, created, and released it would be criminally charged and prosecuted to the full extent of the law, as they would with any hacker that would do this.

Woo October 14, 2011 1:57 AM

The only positive aspect I derive from that trojan is, that as it seems at the moment, it may be the straw that breaks quite a lot of already-unpopular polticians’ backs.

Paeniteo October 14, 2011 3:00 AM

@MeMyselfandI: “So why does everyone think that its official malware from the German police?”

Mainly, because they admitted it.
Last but not least, the manufacturer’s manual recommends renting a C&C server “overseas” to cover the tracks.

-B October 14, 2011 11:49 AM

We need a new word for instead of
sneaking into a city inside a wooden
horse you just barge in the front door
with a horde of tanks!

We could call it, “ATFing”.

Tom October 16, 2011 5:43 AM

Some note about pricing: thanks to the beaurocracy in the EU every european authority or government departement has to make any purchases public. In the case of digitask, the vendor of the trojan, you can use google to get a list of deals they made in the EU in the past by searching for: “digitask site:http://ted.europa.eu“.

As an example here the deal of Digitask with LKA Bavaria for 247.773 EUR. Or – just to be curious the deal with “Zollkriminalamt” for 2.075.256 EUR.

nick November 4, 2011 9:07 PM

This is really interesting. I wonder if the Canadian government or any other country will do this. I’m glad that the Germans are treating it as an illegal operation. Im also glad that anti viruses are treating it as a virus.

Nick

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.