A well-established group of German hackers, the Chaos Computer Club, has accused the German government of releasing a backdoor Trojan into the wild. According to Mikko Hypponen of F-Secure, the announcement was made public on the groupâ€™s website in the form of a 20-page PDF (in German).
The accompanying English-language post claims the group reverse-engineered and analyzed the program, which it calls â€œa â€˜lawful interceptionâ€™ malware program used by German police forcesâ€.
According to the CCC, Quellen-TKÃœ means â€œâ€™source wiretappingâ€™ or lawful interception at the sourceâ€ and Bundestrojaner means â€œfederal trojanâ€ and is â€œthe colloquial German term for the original government malware concept.â€
The group includes a screen shot purporting to show the Trojan in action.
According to the report, the CCC wrote its own remote control program that wrested control of the Trojan, which consists of a Windows DLL and a kernel driver. That allowed the group to analyze the programâ€™s behavior and determine that it goes well beyond the ability to â€œobserve and intercept internet based telecommunicationâ€ (in other words, wiretapping Internet-based telephony), which is allowed by German courts.
In its own analysis, F-Secure confirmed the workings of the program:
The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.
The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.
In addition, the backdoor can be remotely updated. Servers that it connects to include 220.127.116.11 and 18.104.22.168.