Original Post
German government trojan hacked
Last Monday, 10 Oct. 2011, the Chaos Computer Club(CCC) published an article with, in my oppinion, shocking news. They recieved multiple hard drives which contained the trojan that the German government used for source telecommunication surveillance("Quellen-Telekommunikationsüberwachung"). After analizing the trojan the CCC realized that not only it was obviously coded by an amateur and had several vulnerabilities but it clearly violated the limits set by the Federal Constitutional Court of Germany.
It was intended to intercept communication done with computers before encryption can cause problems. Nothing more and nothing less. In fact the trojan comes with a built in keylogger and is able to take screenshots of any active window. The most disturbing feature however is that it is able to download and run any piece of code remote-controled with the highest privileges. This means it can be used as a bug if a camera or microphone is connected to the computer, and basically every file can be read. But not just reading is a problem, theoretically files could be written, too. Any "evidence" could be faked and thus is worthless.
Apparently the coders knew they were acting against the law since they tried to hide the executing part (in a very naive way).
Additional info for all the nerds and geeks out there:
how they did it: In the function to load code there are three strings: "teProc", "Crea" and "essA". They are joined togetherer in apparently random spots. In the right order this creates "CreateProcessA" which is used together with kernel32.dll to run the desired code. Not the best way to hide it but it obviously was enogh to fool anti-virus software.
But not only did they break the rules, they didn't even write any code for authentication. The only condition for commands were that they come from a server located in Ohio, USA. It's not hard to fake this.
In addition to that only the data send from the trojan to the people watching you is encrypted (in a very bad way).
Additional info #2: AES is used to encrypt the data which isn't a bad choice. However, ECB mode was used to encrypt the blocks which is not very secure. In addition to that every text block is encrypted with the same key. On top of that every trojan found by the CCC used the same key. Seems like someone didn't understand the concept of encryption.
All this makes it possible for third persons to use the trojan to spy on you or to install any other malware. The CCC even wrote their own software to control the trojan.
The trojan was found due to the lack of skill of the coders, too. It was able to delete itself. But thanks to the amateurs who wrote it, it could be recovered by standard data recovery tools.
In the public paper on the analyis of the trojan the CCC wrote: "We are happy that no capable expert was found for the morally questionable action of programming this computer bug, so that in the end student assistants with a not yet developed foundation of morality had to do it." (translated by me, any suggestions for improvement are welcome)
Apparently the trojan was written by the company "Digi Task GmbH - Gesellschaft für besondere Telekommunikationssysteme".
Accused of incompetence, the lawyer of Digi Task defended himself with the words: "It is possible that software delivered in 2008 doesn't match security requirements nowadays".
e: At first the Federal Ministry of the Interior denyed that the trojan found was indeed the one used by the government. Serverel federal states however admitted that the trojan found was used.
sources (German, sorry):
article: http://ccc.de/de/updates/2011/staatstrojaner
paper on analyis: http://www.ccc.de/system/uploads/76/...r-report23.pdf
http://de.wikipedia.org/wiki/Bundest...sche_Umsetzung - "Staatstrojaner"
Frankfurter Allgemeine Sonntagszeitung - 9. Oct. 2011
So, pretty long story for those questions:
First of all, what do you think of this? I know it's affecting only a few here on the TB comunity but imagine this happening in your country. What would you think?
What are appropriate consequences to that?
What are acceptable limitations for "computer bugs"?
Should a state be allowed to use trojans at all?
PS:
If there are any weird wordings: sorry. Please tell me how to correct it.
It was intended to intercept communication done with computers before encryption can cause problems. Nothing more and nothing less. In fact the trojan comes with a built in keylogger and is able to take screenshots of any active window. The most disturbing feature however is that it is able to download and run any piece of code remote-controled with the highest privileges. This means it can be used as a bug if a camera or microphone is connected to the computer, and basically every file can be read. But not just reading is a problem, theoretically files could be written, too. Any "evidence" could be faked and thus is worthless.
Apparently the coders knew they were acting against the law since they tried to hide the executing part (in a very naive way).
Additional info for all the nerds and geeks out there:
how they did it: In the function to load code there are three strings: "teProc", "Crea" and "essA". They are joined togetherer in apparently random spots. In the right order this creates "CreateProcessA" which is used together with kernel32.dll to run the desired code. Not the best way to hide it but it obviously was enogh to fool anti-virus software.
But not only did they break the rules, they didn't even write any code for authentication. The only condition for commands were that they come from a server located in Ohio, USA. It's not hard to fake this.
In addition to that only the data send from the trojan to the people watching you is encrypted (in a very bad way).
Additional info #2: AES is used to encrypt the data which isn't a bad choice. However, ECB mode was used to encrypt the blocks which is not very secure. In addition to that every text block is encrypted with the same key. On top of that every trojan found by the CCC used the same key. Seems like someone didn't understand the concept of encryption.
All this makes it possible for third persons to use the trojan to spy on you or to install any other malware. The CCC even wrote their own software to control the trojan.
The trojan was found due to the lack of skill of the coders, too. It was able to delete itself. But thanks to the amateurs who wrote it, it could be recovered by standard data recovery tools.
In the public paper on the analyis of the trojan the CCC wrote: "We are happy that no capable expert was found for the morally questionable action of programming this computer bug, so that in the end student assistants with a not yet developed foundation of morality had to do it." (translated by me, any suggestions for improvement are welcome)
Apparently the trojan was written by the company "Digi Task GmbH - Gesellschaft für besondere Telekommunikationssysteme".
Accused of incompetence, the lawyer of Digi Task defended himself with the words: "It is possible that software delivered in 2008 doesn't match security requirements nowadays".
e: At first the Federal Ministry of the Interior denyed that the trojan found was indeed the one used by the government. Serverel federal states however admitted that the trojan found was used.
sources (German, sorry):
article: http://ccc.de/de/updates/2011/staatstrojaner
paper on analyis: http://www.ccc.de/system/uploads/76/...r-report23.pdf
http://de.wikipedia.org/wiki/Bundest...sche_Umsetzung - "Staatstrojaner"
Frankfurter Allgemeine Sonntagszeitung - 9. Oct. 2011
So, pretty long story for those questions:
First of all, what do you think of this? I know it's affecting only a few here on the TB comunity but imagine this happening in your country. What would you think?
What are appropriate consequences to that?
What are acceptable limitations for "computer bugs"?
Should a state be allowed to use trojans at all?
PS:
If there are any weird wordings: sorry. Please tell me how to correct it.
Last edited by psycore; Oct 13, 2011 at 07:13 PM.
Signature temporarily out of order.
«
Previous Thread
|
Next Thread
»