European ‘hacker club’, the Chaos Computer Club, has claimed to have reverse engineered a sample of German authorities’ lawful intercept malware, Quellen-TKÜ, and found that besides eavesdropping on Skype conversations it also captures screenshots and logs keystrokes.
References to the trojan, Quellen-TKÜ, were discovered in court documents in 2007, with the trojan designed to assist German police overcome Skype encryption where an intercept warrant had been granted.
While the German government had previously endorsed the use of the Quellen-TKÜ to legally wiretap internet telecommunications, the CCC’s analysis of several samples they received, purportedly showed it went far beyond its original remit.
The CCC’s analysis showed the trojan was built from the outset to receive uploads from the web, contains remote execution capabilities and could be used to activate attached devices such as the computer’s microphone and camera for wider surveillance than just spying on telecommunications.
“[T]he design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer,” it claimed in a statement.
Security vendor Sophos on Sunday confirmed the CCC’s findings, pointing out that it can eavesdrop on conversations over Skype, MSN Messenger, and Yahoo Messenger. It also confirmed it can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey, take JPEG screenshots and record Skype audio calls. It labeled the trojan Troj/BckR2D2-A.
But while Sophos could confirm the capabilities described by the CCC, Sophos security analyst Graham Cluley said there was no way to confirm it was written by the German state.
“Sophos's position now is the same as it was back then. We detect all the spyware that we know about - regardless of who its author may be,” he said.
Security flaws in the trojan set up:
The CCC said it was assured by German officials in 2008 that the trojan would be hand-crafted to meet requirements for each case, that it would not have a backdoor to upgrade its capabilities or install more malware after the initial infection, and that it would go through exceptionally strict quality control.
That these additional capabilities had allegedly been built from the outset proved the concept of a state-endorsed trojan was unworkable.
"This [discovery] refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired," said an CCC spokesperson.
"Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."
The malware was also poorly secured, according to the CCC’s analysis of the trojan’s output. Screenshots and audio files that were sent to authorities after passing through a US data centre and were shoddily encrypted.
Commands from the control software to the trojan “are completely unencrypted” which could allow unauthorised third parties to take control of the infected computer or submit falsified information to authorities during an investigation.
"The security level this trojan leaves the infected systems in is comparable to it setting all passwords to '1234'," the CCC spokesperson said.