Droid Trojan 'linked to German police'

News by Dan Raywood

A backdoor Trojan that is capable of monitoring online activity and recording Skype calls has been detected - and is allegedly being used by the German police force.

A backdoor Trojan that is capable of monitoring online activity and recording Skype calls has been detected – and is allegedly being used by the German police force.

According to research by the Chaos Computer Club (CCC), the malware can not only siphon away intimate data, but also offers a remote control or backdoor functionality for uploading and executing arbitrary programs. It said functionality in the ‘Bundestrojaner light' (‘federal Trojan'), concealed as ‘Quellen-TKÜ', goes much further than to just observe and intercept internet based telecommunication, and thus violates the terms set by the constitutional court.

German courts have permitted police to use Bundestrojaner to record Skype conversations if there is legal permission for a wiretap.

It said: “The Trojan can, for example, receive uploads of arbitrary programs from the internet and execute them remotely. This means an upgrade path from Quellen-TKÜ to the full Bundestrojaner's functionality is built in right from the start.

“The analysis concludes that the Trojan's developers never even tried to put in technical safeguards in to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court. On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.”

The CCC also concluded that complete control of an infected PC is open not just to the agency that put it there due to the poor craftsmanship of the Trojan.

A CCC spokesperson said: “We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities. The security level this Trojan leaves the infected systems in is comparable with it setting all passwords to '1234'.”

To avoid revealing the location of the command and control server, all data is redirected through a rented dedicated server in a data centre in the US. The CCC said the German Ministry of the Interior has been informed.

The CCC said: “The clandestine infiltration of IT systems by government agencies must stop. At the same time we would like to call on all hackers and people interested in technology to further analyse the malware, so that at least some benefit can be reaped from this embarrassing eavesdropping attempt.

“Also, we will gladly continue to receive copies of other versions of government malware off your hands.”

Graham Cluley, senior technology consultant at Sophos, said its analysis of the malware confirmed that it can eavesdrop on several communication applications including Skype, MSN Messenger and Yahoo! Messenger. It can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey, and take JPEG screenshots of users' screens.

He said: “We have no way of knowing if the Trojan was written by the German state and, so far, the German authorities aren't confirming any involvement. The comments in the Trojan's binary code could just as easily have been planted by someone mischievously wanting the Trojan to be misidentified as the infamous Bundestrojaner.”

Mikko Hypponen, chief research officer at F-Secure, said: “We do not know who created this backdoor and what it was used for. We have no reason to suspect CCC's findings, but we can't confirm that this Trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself.

“We have never before analysed a sample that has been suspected to be governmental backdoor. We have also never been asked by any government to avoid detecting their backdoors.

“Having said that, we detect this backdoor as Backdoor:W32/R2D2.A. The name R2D2 comes from a string inside the Trojan ‘C3PO-r2d2-POE'. This string is used internally by the Trojan to initiate data transmission.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews