summaryrefslogtreecommitdiff
path: root/updates/2011
diff options
context:
space:
mode:
Diffstat (limited to 'updates/2011')
-rw-r--r--updates/2011/staatstrojaner.en.md240
1 files changed, 240 insertions, 0 deletions
diff --git a/updates/2011/staatstrojaner.en.md b/updates/2011/staatstrojaner.en.md
new file mode 100644
index 00000000..0284647e
--- /dev/null
+++ b/updates/2011/staatstrojaner.en.md
@@ -0,0 +1,240 @@
1title: Chaos Computer Club analyzes government malware
2date: 2011-10-08 19:00:00
3updated: 2011-10-08 18:56:37
4author: admin
5tags: update, pressemitteilung
6previewimage: /images/0zapftis.png
7
8The largest European hacker club, "Chaos Computer Club" (CCC), has reverse engineered and analyzed a "lawful interception" malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.
9
10<!-- TEASER_END -->
11
12Even before the German constitutional court ("Bundesverfassungsgericht")
13on February 27 2008 forbade the use of malware to manipulate German
14citizen's PCs, the German government introduced a less conspicuous
15newspeak variant of the term spy software: "Quellen-TKÜ" (the term means
16"source wiretapping" or lawful interception at the source). This
17Quellen-TKÜ can by definition only be used for wiretapping internet
18telephony. The court also said that this has to be enforced through
19technical and legal means.
20
21The CCC now published the extracted binary files \[0\] of the government
22malware that was used for "Quellen-TKÜ", together with a report about
23the functionality found and our conclusions about these findings \[1\].
24During this analysis, the CCC wrote its own remote control software for
25the trojan.
26
27The CCC analysis reveals functionality in the "Bundestrojaner light"
28(Bundestrojaner meaning "federal trojan" and is the colloquial German
29term for the original government malware concept) concealed as
30"Quellen-TKÜ" that go much further than to just observe and intercept
31internet based telecommunication, and thus violates the terms set by the
32constitutional court. The trojan can, for example, receive uploads of
33arbitrary programs from the Internet and execute them remotely. This
34means, an "upgrade path" from Quellen-TKÜ to the full Bundestrojaner's
35functionality is built-in right from the start. Activation of the
36computer's hardware like microphone or camera can be used for room
37surveillance.
38
39The analysis concludes, that the trojan's developers never even tried to
40put in technical safeguards to make sure the malware can exclusively be
41used for wiretapping internet telephony, as set forth by the
42constitution court. On the contrary, the design included functionality
43to clandestinely add more components over the network right from the
44start, making it a bridge-head to further infiltrate the computer.
45
46"This refutes the claim that an effective separation of just wiretapping
47internet telephony and a full-blown trojan is possible in practice – or
48even desired," commented a CCC speaker. "Our analysis revealed once
49again that law enforcement agencies will overstep their authority if not
50watched carefully. In this case functions clearly intended for breaking
51the law were implemented in this malware: they were meant for uploading
52and executing arbitrary code on the targeted system."
53
54The government malware can, unchecked by a judge, load extensions by
55remote control, to use the trojan for other functions, including but not
56limited to eavesdropping. This complete control over the infected PC –
57owing to the poor craftsmanship that went into this trojan –  is open
58not just to the agency that put it there, but to everyone. It could even
59be used to upload falsified "evidence" against the PC's owner, or to
60delete files, which puts the whole rationale for this method of
61investigation into question.
62
63But the trojan's built-in functions are scary enough, even without
64extending it by new moduls. For the analysis, the CCC wrote it's own
65control terminal software, that can be used to remotely control infected
66PCs over the internet. With its help it is possible to watch screenshots
67of the web browser on the infected PC – including private notices,
68emails or texts in web based cloud services.
69
70The official claim of a strict separation of lawful interception of
71internet telephony and the digital sphere of privacy has no basis in
72reality. \[NB: The German constitutional court ruled that there is a
73sphere of privacy that is afforded total protection and can never be
74breached, no matter for what reason, for example keeping a diary or
75husband and wife talking in the bedroom. Government officials in Germany
76argued that it is possible to avoid listening in on this part but still
77eavesdrop electronically. The constitutional court has created the
78concept of "Kernbereich privater Lebensgestaltung", core area of private
79life. The CCC is basically arguing that nowadays a person's laptop is
80intrinsically part of this core area because people put private notes
81there and keep a diary on it\] The fact that a judge has to sign the
82warrant does not protect the privacy, because the data are being taken
83directly from the core area of private life.
84
85The legislator should put an end to the ever growing expansion of
86computer spying that has been getting out of hand in recent years, and
87finally come up with an unambiguous definition for the digital privacy
88sphere and with a way to protect it effectively. Unfortunately, for too
89long the legislator has been guided by demands for technical
90surveillance, not by values like freedom or the question of how to
91protect our values in a digital world. It is now obvious that he is no
92longer able to oversee the technology, let alone control it.
93
94The analysis also revealed serious security holes that the trojan is
95tearing into infected systems. The screenshots and audio files it sends
96out are encrypted in an incompetent way, the commands from the control
97software to the trojan are even completely unencrypted. Neither the
98commands to the trojan nor its replies are authenticated or have their
99integrity protected. Not only can unauthorized third parties assume
100control of the infected system, but even attackers of mediocre skill
101level can connect to the authorities, claim to be a specific instance of
102the trojan, and upload fake data. It is even conceivable that the law
103enforcement agencies's IT infrastructure could be attacked through this
104channel. The CCC has not yet performed a penetration test on the server
105side of the trojan infrastructure.
106
107"We were surprised and shocked by the lack of even elementary security
108in the code. Any attacker could assume control of a computer infiltrated
109by the German law enforcement authorities", commented a speaker of the
110CCC. "The security level this trojan leaves the infected systems in is
111comparable to it setting all passwords to '1234'".
112
113To avoid revealing the location of the command and control server, all
114data is redirected through a rented dedicated server in a data center in
115the USA. The control of this malware is only partially within the
116borders of its jurisdiction. The instrument could therefore violate the
117fundamental principle of national sovereignty. Considering the
118incompetent encryption and the missing digital signatures on the command
119channel, this poses an unacceptable and incalculable risk. It also poses
120the question how a citizen is supposed to get their right of legal
121redress in the case the wiretapping data get lost outside Germany, or
122the command channel is misused.
123
124According to our hacker ethics and to avoid tipping off criminals who
125are being investigated, the CCC has informed the German ministry of the
126interior. They have had enough time to activate the existing self
127destruct function of the trojan.
128
129When arguing about the government authorized infiltration of computers
130and secretly scanning suspects' hard drives, the former minister of the
131interior Wolfgang Schäuble and Jörg Ziercke, BKA's president (BKA,
132German federal policy agency), have always claimed that the population
133should not worry because there would only be "a handful" of cases where
134the trojan would be used at all. Either almost the complete set of
135government malware has found their way in brown envelopes to the CCC's
136mailbox, or the truth has been leapfrogged once again by the reality of
137eavesdropping and "lawful interception".
138
139The other promises made by the officials also are not basis in reality.
140In 2008 the CCC was told that all versions of the "Quellen-TKÜ" software
141would manually be hand-crafted for the specifics of each case. The CCC
142now has access to several software versions of the trojan, and they all
143use the same hard-coded cryptographic key and do not look hand-crafted
144at all. Another promise has been that the trojan would be subject to
145exceptionally strict quality control to make sure the rules set forth by
146the constitutional court would not be violated. In reality this
147exceptionally strict quality control has neither found that the key is
148hard coded, nor that the "encryption" is uni-directional only, nor that
149there is a back door for uploading and executing further malware. The
150CCC expressed hope that this farce is not representative for
151exceptionally strict quality control in federal agencies.
152
153The CCC demands: The clandestine infiltration of IT systems by
154government agencies must stop. At the same time we would like to call on
155all hackers and people interested in technology to further analyze the
156malware, so that at least some benefit can be reaped from this
157embarrassing eavesdropping attempt. Also, we will gladly continue to
158receive copies of other versions of government malware off your hands.
159\[4\]
160
161**Links**:
162
163\[0\]
164[Binaries](http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz "Cleaned up binaries release")
165
166\[1\] [Analysis of the government malware
167(German)](http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf "Analysis of the government malware")
168
169\[4\] [BigBrotherAwards 2009](http://www.bigbrotherawards.de/2009/.com),
170Category Business: companies selling internet and phone surveillance
171technology
172
173\[5\] [0zapftis (at)
174ccc.de](mailto:0zapftis(at)ccc.de "Mail to the analysis' authors") use
175the PGP key below:
176
177 -----BEGIN PGP PUBLIC KEY BLOCK-----
178 Version: GnuPG v1.4.9 (Darwin)
179
180 mQINBE6OIJYBEADA8V/CA60MHsizwIEk46q3Tw2/DceWdN5jpqr8xD00vhjLMjBx
181 kFgbZdou6yrYnZbrTC72dQbqj/e0KJaj5gmDjzEb29GKxFRbZkhjMSxYPBb4rawJ
182 MRQdv/o/Olsf7ucLCEMRjuNxxczpo5dayDZC1yT4P/PcERscOM1RIOkM+Iaqde4v
183 ApEZavNMrXBlV/s/cQ6gMnzqyzv9dNRaUN8BbNWufWmvue22DUR2kUpsEWYfXBe6
184 o70k8nxe91uHBDnfjL12n2E7kI79+umniOdXYPQgfzBLTnAgCjHjt+Xy75LOiYXt
185 ea7KPaGZoe9RuV+gAcK0G+NElDF7PjeuHbsV3YLXuQ7wjmbsn6qjpxl2E6C+vY30
186 29+4Si7FgwKLlJ/NVrAg90OGEQ13BvPGFUq5rES/ILs31fa7jcIXKaF+ADcMs9o3
187 ymXQF/wU1ENyUMtLsEz9DZ8yKgLVmLlieVmaiMPaJXSFYyHTccJoJ48QfYQARuMa
188 OR+bMhW/wWoubIKgj1tL35GF9fJ0hYpwtMG+Xfyi/JG8fJHV8J01sKG5w/UaBAY1
189 T4quFIHcdMjoRXwtExCsDjyqHRJAakL4WZEjulb3ReGVfuk+pVXTG4Hsp3E8oVKT
190 v62ahMg7X5ugek232DwUTzfU77sNkcTiuXokPMswbEIfp5zmm9pUhalcnQARAQAB
191 tDcwIFphcGZ0IElzISBSZXZlcnNlIEVuZ2luZWVyaW5nIElucHV0IDwwemFwZnRp
192 c0BjY2MuZGU+iQI+BBMBAgAoBQJOjiCWAhsvBQkHhh+ABgsJCAcDAgYVCAIJCgsE
193 FgIDAQIeAQIXgAAKCRDwbQurk8EwoEHBD/4vkbPzdBw9Ra7IBJCFe6aTUlw4qskU
194 WM+2hyC06wOWgZM8KiGABFabInJ+2krc+humAuRJoZPySoHyOi/QY9ND033FgkhX
195 Vea9EJpZRm0tJmbFMlFLzwT9fZ5r7GL0xLrQKoMEK3vUd0b3xQBqeaFEpB+VfU8Q
196 vKmgTG4dO8pYKVe3/MnjAkS6fUUFOsl9QvHCW8+u2Qn4fl7mUygBTLfK4y2KDruh
197 rh3EjeSuSaMdkNlXLDyEI5Hxttn0fTDp8K2Sh15qaeR1uMrwtxPHZRuSUw7jZ7xH
198 24eUjJ4ipnwLMqeTNiL5JBwzQIRp9pb1cjiNuhxUCT4tGBPTeHgPR2MeEbBfFuYJ
199 JnSEEO8VRStZXWWAKHj1ku8+YQ90SmFloRAbjlrkZpJn+vrj66wyGyzVbe1bD3Gy
200 jokwVEhcierUaSpUq9ChBIB+vbMQZlchUfIGZPln/WOuwSgo2L6CNTfcA/6FvHYu
201 +2Mg5VoeHOxQm28ZXjqCsODx3+j476S9VlHIDsBRmqPbOUoEzY2VIAyDzTlQE5Kn
202 kBGp8FXk68QYVSS+ZI00cLtoDZlDD22scjn6qDk1y6oHuUnP9UoIF8t2kR1j9xG3
203 FKrSNufwivgkZ3Fr2n+s9jYMom8YfZi15coNntyYSo7WQOgA29Ssfu8dfG56cdUc
204 WPrcjLfEcjvPMrkCDQROjiCWARAA4dsiBRvVSRN0YFW8iYJNqH0jzu/CwbjsQAOt
205 N6xM8OrjEsu3y82q0g/NryJJ4cVq3kl4r+WDoCwD2wR+oT4oMmg5jWtrs8lSikaG
206 6Gl1W8e81zkyvDol8+BQLFEDxyyOZ313rQznP8RsBzk8u8x1YBPNyeHEJMF3dusm
207 HUgQW2DY/eUUZQJARb9CHp2DTduTlQbkTPeDnFm6lrvduJyee98QeP+nCw9vTok0
208 uWc5o9p4VgY+koX10E++iFRlz9rwNzFT2vHPm5MeG1ZITbWjS17ZQNHsgbOdMDUk
209 08zQOYl29N4IuXRD1zRhs96oDwuxlo1rUE7A8vtf/6S6RETxkS7ykH1csCWrw6s/
210 CjaioVVoyWIEvCzn60P8kUCsLJCiXTE4rcdaY9eysM1jeNC2t7BpmuY6gSqBwM5m
211 0VfL86mCIZcE0AaxtrifjjwG8hlnlodyD0Ugi9tO87rPq204wplTMm6iZblKya5a
212 vzQdKckXOXd4DBSB1fKoZBWAFIuZ2asHa57CsZLXAsM1a1b/eGUIilBN6/bXboum
213 Gv2q+yF91kEP4tv+5fWLRJOgyUOiljB4g0JN1n9JfnM2iHaX7wcFh+jCnpX+1xZJ
214 E8urrUEPpt4IOCHB/mJAk2rCrCY69WWJTjuaXIc178TioWDWr+eDuDyENa9pbTCx
215 5paebg8AEQEAAYkERAQYAQIADwUCTo4glgIbLgUJB4YfgAIpCRDwbQurk8EwoMFd
216 IAQZAQIABgUCTo4glgAKCRBebJ87j17H3iJID/9UVR9HIxmQtQPADWXZxjnNePw1
217 32O1+Syd9j9JgYczHooudki6mx55ydFHEyu4oDJ7az0UiV92GEl7XV3iwBppf9Ja
218 WvZ5WvWMX4F/ZmmDWENXqQeniqIUlKa9XmA9jhYAEwy7198pbD/qsGBMioDVai0f
219 GTYUiBwHt2spu1uopx30spK/RwBKvbH6cbtGmOvfpXmgsFagtg6kPZPbfGZ3Iumh
220 yWHP4zd/+VcAOkjJv844Nuloh4VMPfwiInakG9bZzg4Ky5kGqB+Vl2WCZSOiVVGo
221 C4JmdMO7IMkBPMRNXQw23rhWWJVjsnF+nT/TnDlnH7g067IZ5YOZftwSun78Cjb1
222 sRmwCaj9iNbTwEUnES8Clni/AAirYvXs0Isu67WN1lJWUSwAavs6Thswhvpnrsq7
223 v0svvtmOU1pZVmYGmOFn8xAC+iK1PHFL4BH8NEhkiCMqBfH0pGIjl/hZk60r6Gtf
224 BNB0Fjt/HOQYVHNaQvbpPhWCLYxeVEUfMk9rRE1FlyzYGhBa/pG5ECoJGNQGriGC
225 bB4hzSmwjVqaP7N3qzfeP6xQT4y5A7Xe2zN9FnOO8+vjQ6hMMX4Ch4YDaxuHS3C7
226 4eQTgmJ9CWERuUBz/AdEobY+sakH+2PHN2eBgwbLBX5ti3YKy1L7DE3EZibKwWm5
227 D4C9KHCwUpT/unjQ9gM9EACHIFOBbxZF/2o4w6VdrsYYBUcihaEtDMc9sywNTwBF
228 jsxbJM4GHvtwlJlunMp1Iz62f9dL+hAUe76UCq2i7W9eVlT8Pp3xR0+z2Ini1PbG
229 nfgpsbI9q0ncUlGyo+o/fVNASQqqvfGsfU6SuKapwvMdqK6p7G4y+1XodRHChzli
230 v9WV2GRXNSp5jTuU7FZzCUaHilIU1Xh9P2eo/5/QwTvxkHdEssbCtK6hsWNS/ot9
231 9IRRB5x3Sr2pnb8JiiZrvwh2YlqaD0cs0gViA5gZXTsOVb6IzcaMgnG4M4xu+fgz
232 U+G9jHbwWj9UHcEUPEl5rRmrMTpeu5f2xRZddlbDW1QKREATXZkROsP3GLmXMESe
233 af7BF3+JtUTajYjxQxYwW6hQLkGc4wsIO4nWDFbk/lBh9T25mzTpo54WblDEq9yQ
234 K83zwI2BC3NFqRoZ9IrC3wJsic5T0/bIKALFXo5quK4pE7xt2+c6VQosymeWBk5q
235 Exy6jS1C6RjZGF4qXVPznejivZ9jEv4xUh+BXSMKnZCN9SZIzhWU3K6aqacY8LVm
236 mWE4MA8GJ0dUiw+egWacFBJFRg1I6p1NbuUIlU1WdGne2hyz7djbFofLay15x1Lo
237 wYTTAi2gmp8vxHoZoI30dCJZTtVKb1vIEOE9Tz5Cl/UOVMxtqANGr9/GdVLPY2NB
238 ZQ==
239 =jS/I
240 -----END PGP PUBLIC KEY BLOCK-----