1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
|
title: Chaos Computer Club analyzes government malware
date: 2011-10-08 19:00:00
updated: 2011-10-08 18:59:53
author: admin
tags: update, pressemitteilung
previewimage: /images/0zapftis.png
The largest European hacker club, "Chaos Computer Club" (CCC), has reverse engineered and analyzed a "lawful interception" malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.
<!-- TEASER_END -->
Even before the German constitutional court ("Bundesverfassungsgericht")
on February 27 2008 forbade the use of malware to manipulate German
citizen's PCs, the German government introduced a less conspicuous
newspeak variant of the term spy software: "Quellen-TKÜ" (the term means
"source wiretapping" or lawful interception at the source). This
Quellen-TKÜ can by definition only be used for wiretapping internet
telephony. The court also said that this has to be enforced through
technical and legal means.
The CCC now published the extracted binary files \[0\] of the government
malware that was used for "Quellen-TKÜ", together with a report about
the functionality found and our conclusions about these findings \[1\].
During this analysis, the CCC wrote its own remote control software for
the trojan.
The CCC analysis reveals functionality in the "Bundestrojaner light"
(Bundestrojaner meaning "federal trojan" and is the colloquial German
term for the original government malware concept) concealed as
"Quellen-TKÜ" that go much further than to just observe and intercept
internet based telecommunication, and thus violates the terms set by the
constitutional court. The trojan can, for example, receive uploads of
arbitrary programs from the Internet and execute them remotely. This
means, an "upgrade path" from Quellen-TKÜ to the full Bundestrojaner's
functionality is built-in right from the start. Activation of the
computer's hardware like microphone or camera can be used for room
surveillance.
The analysis concludes, that the trojan's developers never even tried to
put in technical safeguards to make sure the malware can exclusively be
used for wiretapping internet telephony, as set forth by the
constitution court. On the contrary, the design included functionality
to clandestinely add more components over the network right from the
start, making it a bridge-head to further infiltrate the computer.
"This refutes the claim that an effective separation of just wiretapping
internet telephony and a full-blown trojan is possible in practice – or
even desired," commented a CCC speaker. "Our analysis revealed once
again that law enforcement agencies will overstep their authority if not
watched carefully. In this case functions clearly intended for breaking
the law were implemented in this malware: they were meant for uploading
and executing arbitrary code on the targeted system."
The government malware can, unchecked by a judge, load extensions by
remote control, to use the trojan for other functions, including but not
limited to eavesdropping. This complete control over the infected PC –
owing to the poor craftsmanship that went into this trojan – is open
not just to the agency that put it there, but to everyone. It could even
be used to upload falsified "evidence" against the PC's owner, or to
delete files, which puts the whole rationale for this method of
investigation into question.
But the trojan's built-in functions are scary enough, even without
extending it by new moduls. For the analysis, the CCC wrote it's own
control terminal software, that can be used to remotely control infected
PCs over the internet. With its help it is possible to watch screenshots
of the web browser on the infected PC – including private notices,
emails or texts in web based cloud services.
The official claim of a strict separation of lawful interception of
internet telephony and the digital sphere of privacy has no basis in
reality. \[NB: The German constitutional court ruled that there is a
sphere of privacy that is afforded total protection and can never be
breached, no matter for what reason, for example keeping a diary or
husband and wife talking in the bedroom. Government officials in Germany
argued that it is possible to avoid listening in on this part but still
eavesdrop electronically. The constitutional court has created the
concept of "Kernbereich privater Lebensgestaltung", core area of private
life. The CCC is basically arguing that nowadays a person's laptop is
intrinsically part of this core area because people put private notes
there and keep a diary on it\] The fact that a judge has to sign the
warrant does not protect the privacy, because the data are being taken
directly from the core area of private life.
The legislator should put an end to the ever growing expansion of
computer spying that has been getting out of hand in recent years, and
finally come up with an unambiguous definition for the digital privacy
sphere and with a way to protect it effectively. Unfortunately, for too
long the legislator has been guided by demands for technical
surveillance, not by values like freedom or the question of how to
protect our values in a digital world. It is now obvious that he is no
longer able to oversee the technology, let alone control it.
The analysis also revealed serious security holes that the trojan is
tearing into infected systems. The screenshots and audio files it sends
out are encrypted in an incompetent way, the commands from the control
software to the trojan are even completely unencrypted. Neither the
commands to the trojan nor its replies are authenticated or have their
integrity protected. Not only can unauthorized third parties assume
control of the infected system, but even attackers of mediocre skill
level can connect to the authorities, claim to be a specific instance of
the trojan, and upload fake data. It is even conceivable that the law
enforcement agencies's IT infrastructure could be attacked through this
channel. The CCC has not yet performed a penetration test on the server
side of the trojan infrastructure.
"We were surprised and shocked by the lack of even elementary security
in the code. Any attacker could assume control of a computer infiltrated
by the German law enforcement authorities", commented a speaker of the
CCC. "The security level this trojan leaves the infected systems in is
comparable to it setting all passwords to '1234'".
To avoid revealing the location of the command and control server, all
data is redirected through a rented dedicated server in a data center in
the USA. The control of this malware is only partially within the
borders of its jurisdiction. The instrument could therefore violate the
fundamental principle of national sovereignty. Considering the
incompetent encryption and the missing digital signatures on the command
channel, this poses an unacceptable and incalculable risk. It also poses
the question how a citizen is supposed to get their right of legal
redress in the case the wiretapping data get lost outside Germany, or
the command channel is misused.
According to our hacker ethics and to avoid tipping off criminals who
are being investigated, the CCC has informed the German ministry of the
interior. They have had enough time to activate the existing self
destruct function of the trojan.
When arguing about the government authorized infiltration of computers
and secretly scanning suspects' hard drives, the former minister of the
interior Wolfgang Schäuble and Jörg Ziercke, BKA's president (BKA,
German federal policy agency), have always claimed that the population
should not worry because there would only be "a handful" of cases where
the trojan would be used at all. Either almost the complete set of
government malware has found their way in brown envelopes to the CCC's
mailbox, or the truth has been leapfrogged once again by the reality of
eavesdropping and "lawful interception".
The other promises made by the officials also are not basis in reality.
In 2008 the CCC was told that all versions of the "Quellen-TKÜ" software
would manually be hand-crafted for the specifics of each case. The CCC
now has access to several software versions of the trojan, and they all
use the same hard-coded cryptographic key and do not look hand-crafted
at all. Another promise has been that the trojan would be subject to
exceptionally strict quality control to make sure the rules set forth by
the constitutional court would not be violated. In reality this
exceptionally strict quality control has neither found that the key is
hard coded, nor that the "encryption" is uni-directional only, nor that
there is a back door for uploading and executing further malware. The
CCC expressed hope that this farce is not representative for
exceptionally strict quality control in federal agencies.
The CCC demands: The clandestine infiltration of IT systems by
government agencies must stop. At the same time we would like to call on
all hackers and people interested in technology to further analyze the
malware, so that at least some benefit can be reaped from this
embarrassing eavesdropping attempt. Also, we will gladly continue to
receive copies of other versions of government malware off your hands.
\[4\]
**Links**:
\[0\]
[Binaries](http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz "Cleaned up binaries release")
\[1\] [Analysis of the government malware
(German)](http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf "Analysis of the government malware")
\[4\] [BigBrotherAwards 2009](http://www.bigbrotherawards.de/2009/.com),
Category Business: companies selling internet and phone surveillance
technology
\[5\] [0zapftis (at)
ccc.de](mailto:0zapftis(at)ccc.de "Mail to the analysis' authors") use
the PGP key below:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (Darwin)
mQINBE6OIJYBEADA8V/CA60MHsizwIEk46q3Tw2/DceWdN5jpqr8xD00vhjLMjBx
kFgbZdou6yrYnZbrTC72dQbqj/e0KJaj5gmDjzEb29GKxFRbZkhjMSxYPBb4rawJ
MRQdv/o/Olsf7ucLCEMRjuNxxczpo5dayDZC1yT4P/PcERscOM1RIOkM+Iaqde4v
ApEZavNMrXBlV/s/cQ6gMnzqyzv9dNRaUN8BbNWufWmvue22DUR2kUpsEWYfXBe6
o70k8nxe91uHBDnfjL12n2E7kI79+umniOdXYPQgfzBLTnAgCjHjt+Xy75LOiYXt
ea7KPaGZoe9RuV+gAcK0G+NElDF7PjeuHbsV3YLXuQ7wjmbsn6qjpxl2E6C+vY30
29+4Si7FgwKLlJ/NVrAg90OGEQ13BvPGFUq5rES/ILs31fa7jcIXKaF+ADcMs9o3
ymXQF/wU1ENyUMtLsEz9DZ8yKgLVmLlieVmaiMPaJXSFYyHTccJoJ48QfYQARuMa
OR+bMhW/wWoubIKgj1tL35GF9fJ0hYpwtMG+Xfyi/JG8fJHV8J01sKG5w/UaBAY1
T4quFIHcdMjoRXwtExCsDjyqHRJAakL4WZEjulb3ReGVfuk+pVXTG4Hsp3E8oVKT
v62ahMg7X5ugek232DwUTzfU77sNkcTiuXokPMswbEIfp5zmm9pUhalcnQARAQAB
tDcwIFphcGZ0IElzISBSZXZlcnNlIEVuZ2luZWVyaW5nIElucHV0IDwwemFwZnRp
c0BjY2MuZGU+iQI+BBMBAgAoBQJOjiCWAhsvBQkHhh+ABgsJCAcDAgYVCAIJCgsE
FgIDAQIeAQIXgAAKCRDwbQurk8EwoEHBD/4vkbPzdBw9Ra7IBJCFe6aTUlw4qskU
WM+2hyC06wOWgZM8KiGABFabInJ+2krc+humAuRJoZPySoHyOi/QY9ND033FgkhX
Vea9EJpZRm0tJmbFMlFLzwT9fZ5r7GL0xLrQKoMEK3vUd0b3xQBqeaFEpB+VfU8Q
vKmgTG4dO8pYKVe3/MnjAkS6fUUFOsl9QvHCW8+u2Qn4fl7mUygBTLfK4y2KDruh
rh3EjeSuSaMdkNlXLDyEI5Hxttn0fTDp8K2Sh15qaeR1uMrwtxPHZRuSUw7jZ7xH
24eUjJ4ipnwLMqeTNiL5JBwzQIRp9pb1cjiNuhxUCT4tGBPTeHgPR2MeEbBfFuYJ
JnSEEO8VRStZXWWAKHj1ku8+YQ90SmFloRAbjlrkZpJn+vrj66wyGyzVbe1bD3Gy
jokwVEhcierUaSpUq9ChBIB+vbMQZlchUfIGZPln/WOuwSgo2L6CNTfcA/6FvHYu
+2Mg5VoeHOxQm28ZXjqCsODx3+j476S9VlHIDsBRmqPbOUoEzY2VIAyDzTlQE5Kn
kBGp8FXk68QYVSS+ZI00cLtoDZlDD22scjn6qDk1y6oHuUnP9UoIF8t2kR1j9xG3
FKrSNufwivgkZ3Fr2n+s9jYMom8YfZi15coNntyYSo7WQOgA29Ssfu8dfG56cdUc
WPrcjLfEcjvPMrkCDQROjiCWARAA4dsiBRvVSRN0YFW8iYJNqH0jzu/CwbjsQAOt
N6xM8OrjEsu3y82q0g/NryJJ4cVq3kl4r+WDoCwD2wR+oT4oMmg5jWtrs8lSikaG
6Gl1W8e81zkyvDol8+BQLFEDxyyOZ313rQznP8RsBzk8u8x1YBPNyeHEJMF3dusm
HUgQW2DY/eUUZQJARb9CHp2DTduTlQbkTPeDnFm6lrvduJyee98QeP+nCw9vTok0
uWc5o9p4VgY+koX10E++iFRlz9rwNzFT2vHPm5MeG1ZITbWjS17ZQNHsgbOdMDUk
08zQOYl29N4IuXRD1zRhs96oDwuxlo1rUE7A8vtf/6S6RETxkS7ykH1csCWrw6s/
CjaioVVoyWIEvCzn60P8kUCsLJCiXTE4rcdaY9eysM1jeNC2t7BpmuY6gSqBwM5m
0VfL86mCIZcE0AaxtrifjjwG8hlnlodyD0Ugi9tO87rPq204wplTMm6iZblKya5a
vzQdKckXOXd4DBSB1fKoZBWAFIuZ2asHa57CsZLXAsM1a1b/eGUIilBN6/bXboum
Gv2q+yF91kEP4tv+5fWLRJOgyUOiljB4g0JN1n9JfnM2iHaX7wcFh+jCnpX+1xZJ
E8urrUEPpt4IOCHB/mJAk2rCrCY69WWJTjuaXIc178TioWDWr+eDuDyENa9pbTCx
5paebg8AEQEAAYkERAQYAQIADwUCTo4glgIbLgUJB4YfgAIpCRDwbQurk8EwoMFd
IAQZAQIABgUCTo4glgAKCRBebJ87j17H3iJID/9UVR9HIxmQtQPADWXZxjnNePw1
32O1+Syd9j9JgYczHooudki6mx55ydFHEyu4oDJ7az0UiV92GEl7XV3iwBppf9Ja
WvZ5WvWMX4F/ZmmDWENXqQeniqIUlKa9XmA9jhYAEwy7198pbD/qsGBMioDVai0f
GTYUiBwHt2spu1uopx30spK/RwBKvbH6cbtGmOvfpXmgsFagtg6kPZPbfGZ3Iumh
yWHP4zd/+VcAOkjJv844Nuloh4VMPfwiInakG9bZzg4Ky5kGqB+Vl2WCZSOiVVGo
C4JmdMO7IMkBPMRNXQw23rhWWJVjsnF+nT/TnDlnH7g067IZ5YOZftwSun78Cjb1
sRmwCaj9iNbTwEUnES8Clni/AAirYvXs0Isu67WN1lJWUSwAavs6Thswhvpnrsq7
v0svvtmOU1pZVmYGmOFn8xAC+iK1PHFL4BH8NEhkiCMqBfH0pGIjl/hZk60r6Gtf
BNB0Fjt/HOQYVHNaQvbpPhWCLYxeVEUfMk9rRE1FlyzYGhBa/pG5ECoJGNQGriGC
bB4hzSmwjVqaP7N3qzfeP6xQT4y5A7Xe2zN9FnOO8+vjQ6hMMX4Ch4YDaxuHS3C7
4eQTgmJ9CWERuUBz/AdEobY+sakH+2PHN2eBgwbLBX5ti3YKy1L7DE3EZibKwWm5
D4C9KHCwUpT/unjQ9gM9EACHIFOBbxZF/2o4w6VdrsYYBUcihaEtDMc9sywNTwBF
jsxbJM4GHvtwlJlunMp1Iz62f9dL+hAUe76UCq2i7W9eVlT8Pp3xR0+z2Ini1PbG
nfgpsbI9q0ncUlGyo+o/fVNASQqqvfGsfU6SuKapwvMdqK6p7G4y+1XodRHChzli
v9WV2GRXNSp5jTuU7FZzCUaHilIU1Xh9P2eo/5/QwTvxkHdEssbCtK6hsWNS/ot9
9IRRB5x3Sr2pnb8JiiZrvwh2YlqaD0cs0gViA5gZXTsOVb6IzcaMgnG4M4xu+fgz
U+G9jHbwWj9UHcEUPEl5rRmrMTpeu5f2xRZddlbDW1QKREATXZkROsP3GLmXMESe
af7BF3+JtUTajYjxQxYwW6hQLkGc4wsIO4nWDFbk/lBh9T25mzTpo54WblDEq9yQ
K83zwI2BC3NFqRoZ9IrC3wJsic5T0/bIKALFXo5quK4pE7xt2+c6VQosymeWBk5q
Exy6jS1C6RjZGF4qXVPznejivZ9jEv4xUh+BXSMKnZCN9SZIzhWU3K6aqacY8LVm
mWE4MA8GJ0dUiw+egWacFBJFRg1I6p1NbuUIlU1WdGne2hyz7djbFofLay15x1Lo
wYTTAi2gmp8vxHoZoI30dCJZTtVKb1vIEOE9Tz5Cl/UOVMxtqANGr9/GdVLPY2NB
ZQ==
=jS/I
-----END PGP PUBLIC KEY BLOCK-----
|