The German government acknowledged on Tuesday that a trojan horse program used to perform lawful intercept is capable of far more than it was said to be. The confirmation comes after an analysis by hacking group The Chaos Computer Club (CCC) which alleged that the program may be in breach of the law.
The piece of malware, referred to within the German government as “Quellen-TKU,” was found in the wild and submitted anonymously to the CCC. Reports claim the trojan was installed on a victim’s computer during a recent customs check and was intended for use by Gerrman police forces in source wiretapping to observe and intercept Internet based telecommunication.
Dubbed “Bundestrojaner light” by the CCC, or “federal trojan” in English, the malware program was found to contain backdoor functionalities and implementation and design flaws that make the trojan available for use by nearly anyone on the Internet.
According to the CCC’s analysis, the Bundestrojaner is actually capable of receiving and remotely executing arbitrary program uploads from the Internet, and therefore, violates the terms set forth by the German constitutional court in early 2008, when they enacted a law barring the use of malware to manipulate the computers of German citizens.
Specifically Bundestrojaner could easily activate and monitor computer hardware like microphones or cameras for surveillance purposes. From their analysis, the CCC concluded that little or no effort had been put into the design to ensure that Quellen-TKU would be used for its intended purposes. Contrarily, it appears that clandestine functions were designed into the trojan so that it could be later upgraded to do the sorts of surveillance it promised not to.
“This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired,” said a CCC spokesperson. “In this case, functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system.”
Bavarian Interior Minister Joachim Herrmann released a statement yesterday confirming that German law enforcement had used this software, but said that they had done so legally and within the bounds of German law. The version of the malware submitted to the CCC may be a test version of Quellen-TKU, leaked during developmental phases of the project in 2009, he said. It is not the present version of the Trojan. Herrmann said the matter of the trojan will, however, be investigated.
Among other things, the CCC’s analysis of the Quellen-TKU trojan suggests that it was designed with a built-in upgrade path.
The CCC warns that the existence of the Trojan and its capabilities present a number of challenges to civil liberties in the country. The Trojan could potentially be used to upload falsified evidence or delete files on a machine. Furthermore, the CCC also claims that in order to keep the location of Quellen-TKU’s command and control server a secret, all traffic is redirected through a rented dedicated server at a data center in the US, potentially violating the privacy rights of German citizens.
Finally, shoddy construction makes it possible for those outside law enforcement to coopt the trojan’s code for malicious purposes, CCC warned.
“We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities”, said the spokesperson.
“The security level this trojan leaves the infected systems in is comparable to it setting all passwords to ’1234.’”
As in other countries, law enforcement in Germany has struggled with the challenge of monitoring the doings of suspects who are increasingly using Internet based tools such as instant messaging, e-mail and IP based telephony to communicate. Freely available encryption and obfuscation tools like ToR (The Onion Router) can make it easy for suspects to cover their tracks. A presentation by the firm DigiTask, which created a remote monitoring tool for Bavarian Security Service suggests remotely controlled information gathering TTrojans as a solution. The presentation was published by the information leaking site Cryptome.org on Monday (PDF) and describes features similar to those attributed to the Quellen-TKU malware.
You can find the CCC’s entire anylsis here.