Malware developers did not have even elementary security in the code, making it possible for hackers to use the virus easily, claims CCC
Computer hacking club Chaos Computer Club (CCC) has identified a computer Trojan used by German police forces to intercept communications from several messaging applications including VoIP calls.
The CCC has dubbed the Trojan ‘Bundestrojaner’ (the federal Trojan).
The CCC said said that the Trojan is designed with other capabilities as well.
"The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet," the CCC said.
On their website, the CCC said it has reverse engineered and analysed a "lawful interception" malware program used by German police forces.
The outfit said that they found it in the online world.
"It has been found in the wild and submitted to the CCC anonymously," said the CCC.
The CCC has published the extracted binary files of the government malware that was used for "Quellen-TKÜ"(the term means "source wiretapping" or lawful interception at the source), together with a report about the functionality found.
During the analysis, the CCC claimed that it wrote its own remote control software for the Trojan.
The company said that the Trojan can receive uploads of arbitrary programs from the Internet and execute them remotely. "This means, an "upgrade path" from Quellen-TKÜ to the full Bundestrojaner’s functionality is built-in right from the start. Activation of the computer’s hardware like microphone or camera can be used for room surveillance," said the CCC.
The hacking outfit also claims that the Trojan’s developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court.
"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired," said a CCC speaker.
"Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."
"We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities", added the speaker.
"The security level this Trojan leaves the infected systems in is comparable to it setting all passwords to ‘1234’".