German Policeware: Use the Farce…er, Force…Luke

On Saturday, another controversial report of a “government trojan” appeared. This time it is the German government that has been accused by the European hacker club Chaos Computer Club (CCC) of using “lawful interception” malware. Hence, “Bundestrojaner” (Federal Trojan), though that name is normally applied to the legal concept that allows German police to make use of surveillance software (restricted since 2008 to wiretapping), rather than this specific policeware, some reports notwithstanding.

Similar news of governments spying on their citizens include the intentions of France to use spyware for the purpose of copyright protection, or the leak of information about the Egyptian government trojan FinFisher. The whitepaper Please Police Me that David Harley and Craig Johnston presented at the AVAR 2009 conference also noted earlier surveillance tools such as Carnivore and Magic Lantern, while outlining the ethical and legal issues around the detection or non-detection of such software.

Unlike the French and Egyptian cases, samples (a DLL and a system driver) of the German tool have been made public by CCC.

The trojan features a keylogger and also has the capability to take screenshots and record audio, taking its potential far beyond the permitted wiretapping functionality. Some of the affected applications include Skype, MSN Messenger, Yahoo Messenger, and X-Lite – a VoIP application. Moreover, it creates a backdoor on the infected computer, which enables it to exfiltrate the collected information, and also to be controlled remotely. And with its additional ability to download other potentially malicious executables and run them on the system, it is no different from regular backdoor trojans that we see daily.

There is no easy way of determining the origin of this malware – or of most other malware, for that matter – by binary analysis. However it has been linked anecdotally with material leaked by WikiLeaks indicating that DigiTask, a Bavarian company, offered to write software for Skype interception, and DigiTask’s own lawyer has been quoted as saying that it has developed such programs for the German Authorities. (Not that it’s clear at this point whether this program is one of those programs.)

However, origin is not a decisive factor in terms of whether or not it should be detected. If some code is apparently malicious, there is no valid reason for an Anti-Virus not to detect it. And from a technical point of view, lots of malware binaries are detected without an explicit detection signature having been written for them – that is the idea behind heuristics and behavior analysis – and it’s likely that where there has been no attempt to ask for policeware to remain undetected as a special case, it’s simply been detected as unequivocally malicious.  

Harley and Johnston discussed the difficulties as follows:

“Are government & law enforcement agencies allowed to plant spyware on a suspect’s computer now? In some cases, this has been done with the approval of those in authority. But at the moment the planting of spyware on a suspect’s computer is not allowed in many countries unless under special circumstances relating to criminal investigation or national security.”

“The reality is that legislation varies greatly … There is very little consistency at the moment, and there is unlikely to be in the absence of a world-wide, homogenizing culture. Indeed, there’s little consistency even within individual countries: while much legislation proposed in the West has been focused on increasing the government’s capacity for surveillance of the general population as well as of criminals (both cyber criminals and perpetrators of more traditional categories of crime), other legislation has been focused on enhancing the individual’s rights to privacy and confidentiality of data – for example, In accordance with the European Directive on Data Protection.”

“Are government & law enforcement agencies planting spyware on a suspect’s computer now? The short answer to this question is “almost certainly” …  But in most western countries you will be hard pressed to find someone to admit the extent to which the practice goes on, and they do not, in general, seem to be asking antivirus companies to waive detection. But if we were to start agreeing to such requests, would we have to honour requests from all countries who asked? (We’re assuming here that where local legislation required cooperation, vendors would generally be required to comply, though thinking through some of the implications of that assumption could occupy a paper all on its own.)”

A number of names have been used for this program, (supposed) German “federal trojan” including “Quellen-TKU” and “0zapftis”. The occurrence of the latter string in the code does suggest a Munich/Bavaria connection, though it’s just as possible for “suggestive” strings to be inserted into code for purposes of misdirection. ESET detects it as Win32/R2D2.A. This name comes from a text string “C3PO-r2d2-POE” which the trojan uses at the start of data transmission. Clearly, the presence of names associated in some form with Star Wars is unlikely to be coincidental. However, the fact that inept coding introduces potential for the trojan to be misused by the enemies of law enforcement suggests that it’s the farce which is strong with this one.

Robert Lipovsky, Malware Researcher
David Harley, Senior Research Fellow

Author Robert Lipovsky, ESET

  • Richard

    Does this malware self replicate?

  • Lameal1

    So.. wil eset find this virus or not??

    • Robert Lipovsky

      @Richard: No, the malware is not designed to replicate further than its intended target. On the other hand, as I mentioned, the backdoor functionality enables the tool’s capabilities to be extended.
      @Lameal1: Yes, ESET security products detect the trojan as Win32/R2D2.A.

  • Minitrue

    DigiTask is not a bavarian Company, it comes from hesse. (Imprint).

    • David Harley

      @Minitrue No-one, AFAIK, has claimed that DigiTask is Bavarian. The Munich/Oktoberfest/Bavaria connection comes from the use of the string #0zapftis in the R2D2 code.

  • lyecdevf

    I am not surprised to hear that this trojan is the work of Germany and I say this because I have followed some news from Germany that to me indicates that Germany suffers from cyber paranoia.  For instance running a tor rellay is basically illigal in Germany.  They made the failbooks like button illigal (I have to agree with them on that though).The person now known as the, "German social site hacker," commited suicde in jail and the list could go on an on.  
    The thing is that there is always some news from Germany that makes you wonder where they are heading with this cyber paranoia.  This is just the latest but I really believe that there is going to be a lot more to come. 
     
         

  • Richard

    Ahh thanks Robert my pondering was the legal rammifications of such a virus ending up on a computer NOT inside German borders ;)

  • Richard

    Seems it made slashdot
     

     
     

  • Richard

    oops it ate the link…
     
     

  • l8a

    You say it CAN be found – even without signatures through to heuristic methods – but the first versions of the "bundestrojaner" was NOT FOUND by most AVs (for example it was NOT FOUND by Avira, Kaspersky and Eset).
     
    I am a little bit confused ….

    • David Harley

      @18a, yes, I think you are… We were clearly talking about the general case of policeware or state-sponsored trojans, not this particular software. I don’t know if the bundestrojaner was detected heuristically before we received a sample and added a specific detection – and am wondering how you claim to know! – and we certainly didn’t say in this article that we detected it. Obviously, there’s no guaranteee that a given binary _will_ be detected heuristically: the point is that if it is, an AV company isn’t likely to know that it’s state-sponsored unless it happens to be subjected to extensive manual analysis.

Follow Us

Sign up to our newsletter

The latest security news direct to your inbox

26 articles related to:
Hot Topic
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.