Last Monday, 10 Oct. 2011, the Chaos Computer Club(CCC) published an article with, in my oppinion, shocking news. They recieved multiple hard drives which contained the trojan that the German government used for source telecommunication surveillance("Quellen-Telekommunikationsќberwachung"). After analizing the trojan the CCC realized that not only it was obviously coded by an amateur and had several vulnerabilities but it clearly violated the limits set by the Federal Constitutional Court of Germany.
It was intended to intercept communication done with computers before encryption can cause problems. Nothing more and nothing less. In fact the trojan comes with a built in keylogger and is able to take screenshots of any active window. The most disturbing feature however is that it is able to download and run any piece of code remote-controled with the highest privileges. This means it can be used as a bug if a camera or microphone is connected to the computer, and basically every file can be read. But not just reading is a problem, theoretically files could be written, too. Any "evidence" could be faked and thus is worthless.
Apparently the coders knew they were acting against the law since they tried to hide the executing part (in a very naive way).

Additional info for all the nerds and geeks out there:
how they did it: In the function to load code there are three strings: "teProc", "Crea" and "essA". They are joined togetherer in apparently random spots. In the right order this creates "CreateProcessA" which is used together with kernel32.dll to run the desired code. Not the best way to hide it but it obviously was enogh to fool anti-virus software.

But not only did they break the rules, they didn't even write any code for authentication. The only condition for commands were that they come from a server located in Ohio, USA. It's not hard to fake this.
In addition to that only the data send from the trojan to the people watching you is encrypted (in a very bad way).

Additional info #2: AES is used to encrypt the data which isn't a bad choice. However, ECB mode was used to encrypt the blocks which is not very secure. In addition to that every text block is encrypted with the same key. On top of that every trojan found by the CCC used the same key. Seems like someone didn't understand the concept of encryption.

All this makes it possible for third persons to use the trojan to spy on you or to install any other malware. The CCC even wrote their own software to control the trojan.
The trojan was found due to the lack of skill of the coders, too. It was able to delete itself. But thanks to the amateurs who wrote it, it could be recovered by standard data recovery tools.

In the public paper on the analyis of the trojan the CCC wrote: "We are happy that no capable expert was found for the morally questionable action of programming this computer bug, so that in the end student assistants with a not yet developed foundation of morality had to do it." (translated by me, any suggestions for improvement are welcome)

Apparently the trojan was written by the company "Digi Task GmbH - Gesellschaft fќr besondere Telekommunikationssysteme".
Accused of incompetence, the lawyer of Digi Task defended himself with the words: "It is possible that software delivered in 2008 doesn't match security requirements nowadays".

e: At first the Federal Ministry of the Interior denyed that the trojan found was indeed the one used by the government. Serverel federal states however admitted that the trojan found was used.
sources (German, sorry):
article: http://ccc.de/de/updates/2011/staatstrojaner
paper on analyis: http://www.ccc.de/system/uploads/76/...r-report23.pdf
http://de.wikipedia.org/wiki/Bundest...sche_Umsetzung - "Staatstrojaner"
Frankfurter Allgemeine Sonntagszeitung - 9. Oct. 2011


So, pretty long story for those questions:
First of all, what do you think of this? I know it's affecting only a few here on the TB comunity but imagine this happening in your country. What would you think?
What are appropriate consequences to that?
What are acceptable limitations for "computer bugs"?
Should a state be allowed to use trojans at all?

PS:
If there are any weird wordings: sorry. Please tell me how to correct it.

That really does seem a bit unnerving. I have no idea why they would need the ability to control anyone's computer remotely and see everything it saw, that is infringing on personal rights, correct?
Anyways, I think that viruses will always be one step ahead of the antivirus, and there is good reason for that. The virus is coded, then the AV company has to figure out how to stop it. Meanwhile, a new virus is being coded, and so on and so forth...

Makes me feel weird.
What if some guy writes a notepad file that contains some super important information, and gets stolen because he's being spied on...
If they used this virus correctly and put more time into it, that program could possibly obtain classified information from any computer.

Meh. They tried.

Yeah, that are points that were critized, too.
In addition to that they could take screenshots of e-mails which never will be sent because they get edited or deleted later on.

Wait, I don't get it. Can you please explain further for me? Who was or is going to be hacked? And who is going to be affected by this trojan?

Well it should be obvious really but;

• The trojan has been in use by the German government for digital surveillance purposes since 2008.
  
• The CCC received multiple drives infected with the virus, and used them to analyse it.
  
• The trojan is found to be in violation of the constitution of Germany, as it can be used for far more than surveillance, in fact it's uses are limitless as it can download and run any program.
  
• This trojan has been used on an unknown number of machines, but since the CCC was able to acquire multiple infected harddrives it is logical to assume there is quite a large infected population. However I would expect that the population is domestic to Germany, as I doubt they would be able to handle world wide surveillance, nor would the police who would employ this trojan use it overseas.
  
• The trojan itself was built very poorly.

It was meant to intercept voice over ip or chat messanges before they get encrypted on the computer of peoples suspected of doing illegal stuff. German investigative authorities are allowed to use that. But it was (on purpose) coded in a way so that it can be used to read every file, write new files and download and run any peace of code. Thanks to several vulnerabilities third persons can use it, too. It's not even very difficult to do it.

I'm happy that I'm a little "paranoid" since I was at the black side of the hacker community years ago.
Yes, nothing against surveillance of terrorism based suspects...but it should have limits. Beside that an independent authority should observe and control it.

The bad thing is, that the main idea behind it (surveillance of suspect terrorists) seems to fade away and the technique is used also for other crimes which was never be a part of the discussion at the beginning of that all.

And if that isn't all the trojan itself is more than a piece of crap. Bad coded, vulnerable and easy to engage if you just have a slight knowlegde of internet/intranet security. Assuming that real terrorists, which work on the internet as discussion base, HAVE these knowledges and/or use encrypting the trojan itself isn't much more than a drop in the bucket. Sooner or later the laws that allow such a crap will be overworked or completly killed. We are not china, we aren't a part of 1984 and the government will realize that on the hard way. Look at the next election and the actual surveys...