The Chaos Computer Club is probing malware that may be being used illegally by the German police
The German police may be using malware that breaks that country’s laws. According to the Chaos Computer Club (CCC), a respected source, the software has been found in the wild and submitted anonymously to their analysis team.
The team has dubbed the Trojan R2D2 but it also known as Bundestrojaner (state, or federal, Trojan) and 0zapftis.
The malware not only monitors personal data but can act as a backdoor to allow further monitoring software to be implanted in the computer. Independent tests by a Sophos security team confirms this. In the past, German courts have allowed the police to deploy a Trojan called Quellen-TKÜ, which has also been nicknamed Bundestrojaner, to record Skype conversations but only if wiretapping permission has been granted. It seems the new malware goes beyond this.
Evil R2D2 Helps Police Enquiries
Graham Cluley, senior technology consultant at Sophos, writes that an initial analysis of the software shows that it is capable of monitoring Skype, MSN Messenger and Yahoo Messenger. It also logs key presses in Firefox, Opera, Internet Explorer and SeaMonkey browsers and can take JPEG screenshots of the user’s monitor screen and send all this information to a remote website at IP address 220.127.116.11, which appears to be based in Düsseldorf or Neuss in Germany.
The ability to plant more monitoring software on the system seems like overkill. The CCC wrote: “The trojan’s built-in functions are scary enough, even without extending it by new modules. For the analysis, the CCC wrote it’s own control terminal software, that can be used to remotely control infected PCs over the Internet. With its help it is possible to watch screenshots of the web browser on the infected PC – including private notices, emails or texts in web-based cloud services.”
If the link with the police force proves true, it could be a major bombshell in privacy-conscious Germany. The CCC analysis concludes that the Trojan’s developers have not placed controls in the malware to ensure only wiretapping of Internet telephony can be executed – contrary to German law. Furthermore, the ability to use it as a bridgehead for other software makes it totally illegal.
“This refutes the claim that an effective separation of just wiretapping Internet telephony and a full-blown Trojan is possible in practice – or even desired,” commented the CCC. “Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system.”
There is some doubt about the provenance of the software, as much of the “evidence” that it is state-owned is circumstantially based on comments within the code and the contact IP. Knowing the sensitivity of any kind of privacy invasion in Germany, an enemy state or organisation could have planted the malware to spread distrust.
The sample software was supplied by an anonymous source so without a government statement all CCC’s comments are based on an assumption. Cluley posted a later blog in which he said, “It’s not really possible to ‘prove’ who authored the malware, unless the German authorities confirm their involvement. However, it’s beginning to look as though it’s more likely that they were involved than not.”
What is of concern is, if one government’s law enforcement officers are using the software, that other governments may be in possession of the tool. And even if that is not the case, the tools may fall into malevolent hands.