Weekly Edition
Return to the Security page
| |||||||||||||
An analysis of alleged German governmental malware
The Chaos Computer Club claims to have
analyzed a rootkit used by the German government. "The malware
can not only siphon away intimate data but also offers a remote control or
backdoor functionality for uploading and executing arbitrary other
programs. Significant design and implementation flaws make all of the
functionality available to anyone on the internet."
(Log in to post comments)
An analysis of alleged German governmental malware Posted Oct 9, 2011 16:28 UTC (Sun) by PO8 (guest, #41661) [Link]
Ouch. Do we currently have governmental malware like this running in the United States?
An analysis of alleged German governmental malware Posted Oct 9, 2011 18:05 UTC (Sun) by ayeomans (subscriber, #1848) [Link] Sophos' blog on this trojan states: "I'm reminded of the kerfuffle which occurred almost ten years ago when there were concerns that the FBI would ask anti-virus companies to deliberately not detect spyware that they had written - dubbed "Magic Lantern". "
An analysis of alleged German governmental malware Posted Oct 10, 2011 8:36 UTC (Mon) by pcampe (guest, #28223) [Link]
For sure we have something like this in Italy.
It's usually send to the target (after a specific authorization granted by a prosecutor) as an e-mail attachment called "Querela" ("Complaint"), and this is his common name.
The news leaked as one of the targets was Luigi Bisignani (defined by PM Berlusconi as "a man a lot more powerful than me"); it seems that it intercepts the audio card, to simply bypass Skype (Bisignani used Skype a lot to avoid wiretapping).
IIRC, there was a lot of irritation between prosecutors for the leaking of this news.
An analysis of alleged German governmental malware Posted Oct 10, 2011 17:48 UTC (Mon) by fw (subscriber, #26023) [Link]
CIPAV seems to be something in the same direction (placing software on a suspect's computer without informed consent):
http://en.wikipedia.org/wiki/Computer_and_Internet_Protoc...
An analysis of alleged German governmental malware Posted Oct 9, 2011 18:44 UTC (Sun) by zoonoo (guest, #80519) [Link]
The best thing is the hysterical reaction of the
conservative German press (FAZ) (rough translation): "The Trojan can read our minds and has the ability to remote control our computers".
An analysis of alleged German governmental malware Posted Oct 9, 2011 19:46 UTC (Sun) by arne (subscriber, #67053) [Link]
It's not a "hysterical reaction" of the FAZ, but an article by Frank Rieger (who is a spokesperson of the ccc). The "reading minds" thing is explained later on: Everything I write can be monitored even if I don't save it. Therefore, a process of thought can be read.
(It is possible that the teaser was not written by him)
I think that they (the FAZ) cover this topic well, even if I haven't read everything.
An analysis of alleged German governmental malware Posted Oct 13, 2011 16:37 UTC (Thu) by gvy (guest, #11981) [Link]
FWIW, hysterical reaction is rather typical for the "democratic" press.
An analysis of alleged German governmental malware Posted Oct 9, 2011 19:57 UTC (Sun) by copsewood (subscriber, #199) [Link]
So what is the evidence that planting and listening to this malware is the officially sanctioned work of government agencies and the German government in particular ? I can imagine many other parties interested in what is occurring on other computers wanting a victim of such an attack to believe it's the government behind it.
That isn't to say no government secretive agency in a country such as Germany, UK, USA etc. would ever sanction such a thing, just that when and if they did it's unlikely we would be able to pin it on them unless they were being very incompetent or had leaky individuals in the know.
An analysis of alleged German governmental malware Posted Oct 9, 2011 21:00 UTC (Sun) by tpo (subscriber, #25713) [Link]
> So what is the evidence that planting and listening to this malware is
> the officially sanctioned work of government agencies
There was a lot of coverage of the issue before, including governement acknowledging that indeed they had such a programm developped and also:
> [the governement] had leaky individuals in the know.
I think googling around for "Bundestrojaner" will lead you to plenty of material.
An analysis of alleged German governmental malware Posted Oct 10, 2011 20:53 UTC (Mon) by utoddl (subscriber, #1232) [Link] > I think googling around for "Bundestrojaner" will lead you to plenty of material....and also will leave plenty of fingerprints/tracks of your having searched for such things. You've nowhere to hide, citizen! We know what you know.
An analysis of alleged German governmental malware Posted Oct 11, 2011 23:59 UTC (Tue) by PaulWay (✭ supporter ✭, #45600) [Link]
I'm going through NINE PROXIES!
An analysis of alleged German governmental malware Posted Oct 10, 2011 11:50 UTC (Mon) by mb (subscriber, #50428) [Link]
> So what is the evidence that planting and listening to this malware
> is the officially sanctioned work of government agencies and the > German government in particular ?
There were multiple independent sources for the binary. One source wrote a nice article about how the trojan supposedly was installed on their laptop.
An analysis of alleged German governmental malware Posted Oct 10, 2011 18:05 UTC (Mon) by copsewood (subscriber, #199) [Link]
I've just run that article through a German to English translation program. I think if such an event occurred in the UK, an individual could demand a criminal investigation of any official or agency at an airport who carried out a modification unauthorised by the computer owner under our Computer Misuse Act. But someone making the allegation would need solid forensic evidence, e.g. by having a professional third party forensic examination both before and after the airport visit and believable evidence that no-one else and no other remote system had access to the machine during the time in question between the 2 forensic examinations.
An analysis of alleged German governmental malware Posted Oct 11, 2011 5:58 UTC (Tue) by Felix.Braun (subscriber, #3032) [Link]
This seems to be corroborated by the Bavarian interior minister confirming that his ministry has used the malware that surfaced in 2009. Of course, every use under his jurisdiction very strictly followed the rules of procedure, which means that basic rights of suspects or innocent civilians have not been violated. So he dosn't quite understand the hubbub the media are making.
In other news, it has been reported that a regional court in Landshut (also Bavaria) has found, at least in one case, that the evidence collected by this malware was inadmissable because the police had violated the restrictions of the court order allowing it's use in the first place.
Lovely... Posted Oct 9, 2011 20:15 UTC (Sun) by nettings (subscriber, #429) [Link]
So it turns out the trojan can do pretty much anything on a system.
In addition to the authorities (who are inherently trusted not to tamper with or plant false evidence, generally), every Joe Sixpack on the net can hijack the trojan and enjoy free reign on the target machine.
Prego: Instant deniability. At least it means that the "evidence" thus gathered will have a very hard time in court. Alas, the damage to privacy has already been done at that point...
Lovely... Posted Oct 9, 2011 20:33 UTC (Sun) by nettings (subscriber, #429) [Link]
As to holding up in court, from http://www.heise.de/security/meldung/CCC-knackt-Staatstro... (own translation):
"In late 2008, Markus Hansen of the Independent State Center for Privacy Protection Schleswig-Holstein and Dresden-based informatics professor Andreas Pfitzmann had already shown that the regulations governing online wiretapping via the so-called 'Bundestrojaner' undermine privacy. Moreover, the 'Bundestrojaner' is unable to deliver evidence that would be usable in court."
The snippet links to http://www.heise.de/newsticker/meldung/Windei-Bundestroja..., where the authors elaborate on the deniability that is implicit in any system susceptible to the 'Bundestrojaner' - if the law can get in, so can someone else...
Lovely... Posted Oct 10, 2011 6:58 UTC (Mon) by eru (subscriber, #2753) [Link] The Bundestrojaner evidence does not necessarily have to stand up in any court for the program to be useful. Eavesdropping may help the cops to find real-life evidence. For example, by learning about the suspect's plans for future movements, they can arrange themselves to be in the right place at the right time to observe and photograph something suspicious taking place.
Lovely... Posted Oct 10, 2011 22:11 UTC (Mon) by njs (guest, #40338) [Link]
In the US, photographs obtained in that way would probably not stand up in court either: https://secure.wikimedia.org/wikipedia/en/wiki/Fruit_of_t...
But of course the caveats are 1) the defense would have to show that that's how the photographs were obtained, 2) Germany might be different (though I would hope they do have a similar rule!).
Lovely... Posted Oct 10, 2011 23:26 UTC (Mon) by anselm (subscriber, #2796) [Link] There is no »fruit of the poisoned tree« doctrine in German law similar to the one in the US. The situation is more complicated because German courts of law work differently from US courts a fact that is lost on many people hereabouts who seem to get most of their judicial expertise from Matlock reruns. Having said that, any evidence gleaned from unauthorised covert surveillance of telecommunications (in particular, evidence of crimes that the investigators weren't actually actively looking for in the first place) is very likely to be inadmissible in court if the defendant objects to its use, at least according to precedent from the Bundesgerichtshof (the highest German criminal court). It would be reasonable to assume that this will also apply to stuff from the »Bundestrojaner«.
Confirmation and good write-up in English Posted Oct 11, 2011 15:04 UTC (Tue) by Curan (subscriber, #66186) [Link]
For those of you still doubting the truthfulness of the CCC's claim or who just want to get good overview, can have a look at [0], where most of the current information is summed up in English.
An analysis of alleged German governmental malware Posted Oct 12, 2011 2:06 UTC (Wed) by yarikoptic (subscriber, #36795) [Link]
Does it run on linux?
$> apt-cache search german trojan
seems to be empty :-/ ;-)
An analysis of alleged German governmental malware Posted Oct 13, 2011 11:59 UTC (Thu) by Felix.Braun (subscriber, #3032) [Link]
The malware that has been found and analysed is Windows-only.
An analysis of alleged German governmental malware Posted Oct 13, 2011 14:32 UTC (Thu) by anselm (subscriber, #2796) [Link] At least in this instance the common »Everyone uses Windows« delusion is actually a Good Thing. It seems that for criminals who want to hide their activities from law enforcement the first thing to do is to install Linux.
An analysis of alleged German governmental malware Posted Oct 13, 2011 16:59 UTC (Thu) by wookey (subscriber, #5501) [Link]
or BSD. Probably more effective if you really want to be out of the mainstream.
An analysis of alleged German governmental malware Posted Oct 14, 2011 9:55 UTC (Fri) by eru (subscriber, #2753) [Link] It seems that for criminals who want to hide their activities from law enforcement the first thing to do is to install Linux.I sincerely hope they don't start doing that. The last thing we want is getting Linux somehow associated with criminal activities in the mind of the public.
|
|||||||||||||