German Government Accused Of Spying On Citizens With Trojan

A well-established group of German hackers, the Chaos Computer Club, has accused the German government of releasing a backdoor Trojan into the wild. According to Mikko Hypponen of F-Secure, the announcement was made public on the group’s website in the form of a 20-page PDF (in German).

The accompanying English-language post claims the group reverse-engineered and analyzed the program, which it calls “a ‘lawful interception’ malware program used by German police forces”.

According to the CCC, Quellen-TKÜ means “’source wiretapping’ or lawful interception at the source” and Bundestrojaner means “federal trojan” and is “the colloquial German term for the original government malware concept.”

The group includes a screen shot purporting to show the Trojan in action.

According to the report, the CCC wrote its own remote control program that wrested control of the Trojan, which consists of a Windows DLL and a kernel driver. That allowed the group to analyze the program’s behavior and determine that it goes well beyond the ability to “observe and intercept internet based telecommunication” (in other words, wiretapping Internet-based telephony), which is allowed by German courts.

In its own analysis, F-Secure confirmed the workings of the program:

The backdoor includes a keylogger that targets certain applications. These applications include Firefox, Skype, MSN Messenger, ICQ and others.

The backdoor also contains code intended to take screenshots and record audio, including recording Skype calls.

In addition, the backdoor can be remotely updated. Servers that it connects to include 83.236.140.90 and 207.158.22.134.