This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Droid Trojan 'linked to German police'

Share this article:
Droid Trojan 'linked to German police'
Droid Trojan 'linked to German police'

A backdoor Trojan that is capable of monitoring online activity and recording Skype calls has been detected – and is allegedly being used by the German police force.

According to research by the Chaos Computer Club (CCC), the malware can not only siphon away intimate data, but also offers a remote control or backdoor functionality for uploading and executing arbitrary programs. It said functionality in the ‘Bundestrojaner light' (‘federal Trojan'), concealed as ‘Quellen-TKÜ', goes much further than to just observe and intercept internet based telecommunication, and thus violates the terms set by the constitutional court.

German courts have permitted police to use Bundestrojaner to record Skype conversations if there is legal permission for a wiretap.

It said: “The Trojan can, for example, receive uploads of arbitrary programs from the internet and execute them remotely. This means an upgrade path from Quellen-TKÜ to the full Bundestrojaner's functionality is built in right from the start.

“The analysis concludes that the Trojan's developers never even tried to put in technical safeguards in to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court. On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.”

The CCC also concluded that complete control of an infected PC is open not just to the agency that put it there due to the poor craftsmanship of the Trojan.

A CCC spokesperson said: “We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities. The security level this Trojan leaves the infected systems in is comparable with it setting all passwords to '1234'.”

To avoid revealing the location of the command and control server, all data is redirected through a rented dedicated server in a data centre in the US. The CCC said the German Ministry of the Interior has been informed.

The CCC said: “The clandestine infiltration of IT systems by government agencies must stop. At the same time we would like to call on all hackers and people interested in technology to further analyse the malware, so that at least some benefit can be reaped from this embarrassing eavesdropping attempt.

“Also, we will gladly continue to receive copies of other versions of government malware off your hands.”

Graham Cluley, senior technology consultant at Sophos, said its analysis of the malware confirmed that it can eavesdrop on several communication applications including Skype, MSN Messenger and Yahoo! Messenger. It can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey, and take JPEG screenshots of users' screens.

He said: “We have no way of knowing if the Trojan was written by the German state and, so far, the German authorities aren't confirming any involvement. The comments in the Trojan's binary code could just as easily have been planted by someone mischievously wanting the Trojan to be misidentified as the infamous Bundestrojaner.”

Mikko Hypponen, chief research officer at F-Secure, said: “We do not know who created this backdoor and what it was used for. We have no reason to suspect CCC's findings, but we can't confirm that this Trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.

“We have never before analysed a sample that has been suspected to be governmental backdoor. We have also never been asked by any government to avoid detecting their backdoors.

“Having said that, we detect this backdoor as Backdoor:W32/R2D2.A. The name R2D2 comes from a string inside the Trojan ‘C3PO-r2d2-POE'. This string is used internally by the Trojan to initiate data transmission.”
Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

China refutes new FBI hacking claims

China refutes new FBI hacking claims

It's been another week of claims and counterclaims as the US and Chinese governments accuse each other of deviant cyber security practices.

SC Exclusive: Bank of England to appoint new CISO in January

SC Exclusive: Bank of England to appoint new ...

Bank of England Chief Information Security Officer (CISO) Don Randall is to leave his post in the New Year to take up an unspecified supervisory role, with William Brandon set ...

Sandworm vulnerability seen targeting SCADA-based systems

Sandworm vulnerability seen targeting SCADA-based systems

Hard on the heels of the `Sandworm' spy group revealed by iSIGHT Partners earlier in the week, Trend Micro says its has spotted the zero-day vulnerability of the same name ...