Ten days ago, the Chaos Computer Club made public a set of worrisome discoveries made by their analysis of the “lawful interception” Trojan used by German law enforcement agencies.
At the time, the group had access to the Trojan’s DLL and a kernel driver, but not to the installer/dropper. But yesterday, Kaspersky Lab researchers shared their own discoveries after analyzing the installer file detected and blocked by the company’s antivirus solution.
It is named scuinst.exe – after the official name of the federal Trojan which is “Skype Capture Unit.” It carries five additional binaries and has the capability to monitor even more applications than originally thought – including the IE, Firefox and Opera browsers and chat, messaging and VoIP apps such as Low-Rate Voip, ICQ, Yahoo! Messenger and many more.
Also, the dropper has the ability to detect whether the affected machine runs on 32-bit or 64-bit architecture, and installs the appropriate driver.
“Contrary to the 32 bit version, the 64 bit driver does not contain any process infection functionality but only provides a rudimentary privilege escalation interface through file system and registry access,” say the researchers. “Similar to its brother, it creates a device and implements a basic protocol for communicating with user-mode applications.”
Another interesting thing about the 64-bit driver provided by the dropper is the fact that it’s digitally signed. It must be, or the OS wouldn’t load it. But the certificate is issued by Goose Cert, a CA that doesn’t exist.
This would normally mean that the OS won’t accept it, so the question that must be raised is “Does that mean that the Trojan is capable of installing the bogus certificate in the Trusted Root Certification Authorities store?”