German Policeware: Use the Farce...er, Force...Luke

On Saturday, another controversial report of a “government trojan” appeared. This time it is the German government that has been accused by the European hacker club Chaos Computer Club (CCC) of using “lawful interception” malware. Hence, “Bundestrojaner” (Federal Trojan), though that name is normally applied to the legal concept that allows German police to make use of surveillance software (restricted since 2008 to wiretapping), rather than this specific policeware, some reports notwithstanding.

Similar news of governments spying on their citizens include the intentions of France to use spyware for the purpose of copyright protection, or the leak of information about the Egyptian government trojan FinFisher. The whitepaper Please Police Me that David Harley and Craig Johnston presented at the AVAR 2009 conference also noted earlier surveillance tools such as Carnivore and Magic Lantern, while outlining the ethical and legal issues around the detection or non-detection of such software.

Unlike the French and Egyptian cases, samples (a DLL and a system driver) of the German tool have been made public by CCC.

The trojan features a keylogger and also has the capability to take screenshots and record audio, taking its potential far beyond the permitted wiretapping functionality. Some of the affected applications include Skype, MSN Messenger, Yahoo Messenger, and X-Lite – a VoIP application. Moreover, it creates a backdoor on the infected computer, which enables it to exfiltrate the collected information, and also to be controlled remotely. And with its additional ability to download other potentially malicious executables and run them on the system, it is no different from regular backdoor trojans that we see daily.

There is no easy way of determining the origin of this malware - or of most other malware, for that matter – by binary analysis. However it has been linked anecdotally with material leaked by WikiLeaks indicating that DigiTask, a Bavarian company, offered to write software for Skype interception, and DigiTask’s own lawyer has been quoted as saying that it has developed such programs for the German Authorities. (Not that it’s clear at this point whether this program is one of those programs.)

However, origin is not a decisive factor in terms of whether or not it should be detected. If some code is apparently malicious, there is no valid reason for an Anti-Virus not to detect it. And from a technical point of view, lots of malware binaries are detected without an explicit detection signature having been written for them – that is the idea behind heuristics and behavior analysis – and it’s likely that where there has been no attempt to ask for policeware to remain undetected as a special case, it’s simply been detected as unequivocally malicious.  

Harley and Johnston discussed the difficulties as follows:

“Are government & law enforcement agencies allowed to plant spyware on a suspect’s computer now? In some cases, this has been done with the approval of those in authority. But at the moment the planting of spyware on a suspect’s computer is not allowed in many countries unless under special circumstances relating to criminal investigation or national security.”

“The reality is that legislation varies greatly ... There is very little consistency at the moment, and there is unlikely to be in the absence of a world-wide, homogenizing culture. Indeed, there’s little consistency even within individual countries: while much legislation proposed in the West has been focused on increasing the government’s capacity for surveillance of the general population as well as of criminals (both cyber criminals and perpetrators of more traditional categories of crime), other legislation has been focused on enhancing the individual’s rights to privacy and confidentiality of data – for example, In accordance with the European Directive on Data Protection.”

“Are government & law enforcement agencies planting spyware on a suspect’s computer now? The short answer to this question is “almost certainly” ...  But in most western countries you will be hard pressed to find someone to admit the extent to which the practice goes on, and they do not, in general, seem to be asking antivirus companies to waive detection. But if we were to start agreeing to such requests, would we have to honour requests from all countries who asked? (We’re assuming here that where local legislation required cooperation, vendors would generally be required to comply, though thinking through some of the implications of that assumption could occupy a paper all on its own.)”

A number of names have been used for this program, (supposed) German “federal trojan” including “Quellen-TKU” and “0zapftis”. The occurrence of the latter string in the code does suggest a Munich/Bavaria connection, though it’s just as possible for “suggestive” strings to be inserted into code for purposes of misdirection. ESET detects it as Win32/R2D2.A. This name comes from a text string “C3PO-r2d2-POE” which the trojan uses at the start of data transmission. Clearly, the presence of names associated in some form with Star Wars is unlikely to be coincidental. However, the fact that inept coding introduces potential for the trojan to be misused by the enemies of law enforcement suggests that it’s the farce which is strong with this one.

Robert Lipovsky, Malware Researcher
David Harley, Senior Research Fellow