Government telecommunication-spying malware opens backdoor

The Chaos Computer Club claims that a government-made “lawful interception” Trojan has abilities that exceed those allowed by the nation’s legislature and that those features can be easily misused by third parties through a series of design and implementation flaws.

The well known German-based hacker organization said that it has received various samples of the “Bundestrojaner” (“Federal Trojan”) used by German law enforcement, and that the reverse-engineering process has revealed many worrying things.

For one thing, the Trojan is supposedly used only for “wiretapping” VoIP conversations. But the analysis showed that the malware has also been equipped with the ability to set up a backdoor into the targeted system and to update its functionalities by downloading additional components from the Internet and execute them.

“This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired,” commented a CCC member. “Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system.”

Additional capabilities supposedly include taking screenshots and activating the computer’s camera and microphone in order to execute physical surveillance of the actions made by the computer’s owner both online and in the room where the computer is located – all of which has been deemed illegal by the German constitutional court.

And if all this wasn’t scary enough, the Trojan’s inherent flaws and the holes it makes into the targeted system can open the way for spying from other individuals and entities.

“The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted,” say the hackers. “Neither the commands to the Trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies’s IT infrastructure could be attacked through this channel.”

The hackers have not tried to penetrate this infrastructure, but they did devise a PoC remote control software for the Trojan. They have also followed the path of redirections through which the recorded data is sent to the C&C servers, and point out that it passes through a rented server in the US, making the control of the malware lay only partially within the borders of jurisdiction of the German government/law enforcement agencies.

The CCC has also pointed out the many inconsistencies found in the claims made by government officials regarding the Trojan: that it will be hand-crafted for each specific case (the hackers say that judging by the hard-coded cryptographic key and other details found in all the samples they have analyzed it wasn’t) and that it will be tested to assure that it has only the telecommunication-spying abilities and that its code is written so that it cannot be abused by third parties (they say it definitely isn’t).

The German government has yet to comment on these claims and it may take a while. The CCC says that the Ministry of the Interior has been informed of their findings and that they have the ability to make the Trojan destroy itself – which is obvious the hackers would like to see happen.

As an additional note, Symantec researchers have confirmed many of the claims made by the CCC, although they say that the group “has not offered any proof of their claims that these are government affiliated samples.”