Hackers reverse engineer German cop trojan

Trojan goes well beyond eavesdropping on Skype conversations.

European ‘hacker club’, the Chaos Computer Club, has claimed to have reverse engineered a sample of German authorities’ lawful intercept malware, Quellen-TKÜ, and found that besides eavesdropping on Skype conversations it also captures screenshots and logs keystrokes.

References to the trojan, Quellen-TKÜ, were discovered in court documents in 2007, with the trojan designed to assist German police overcome Skype encryption where an intercept warrant had been granted.

While the German government had previously endorsed the use of the Quellen-TKÜ to legally wiretap internet telecommunications, the CCC’s analysis of several samples they received, purportedly showed it went far beyond its original remit.

The CCC’s analysis showed the trojan was built from the outset to receive uploads from the web, contains remote execution capabilities and could be used to activate attached devices such as the computer’s microphone and camera for wider surveillance than just spying on telecommunications.

“[T]he design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer,” it claimed in a statement.

Security vendor Sophos on Sunday confirmed the CCC’s findings, pointing out that it can eavesdrop on conversations over Skype, MSN Messenger, and Yahoo Messenger. It also confirmed it can log keystrokes in Firefox, Opera, Internet Explorer and SeaMonkey, take JPEG screenshots and record Skype audio calls. It labeled the trojan Troj/BckR2D2-A.

But while Sophos could confirm the capabilities described by the CCC, Sophos security analyst Graham Cluley said there was no way to confirm it was written by the German state. 

“Sophos's position now is the same as it was back then. We detect all the spyware that we know about - regardless of who its author may be,” he said.

Security flaws in the trojan set up:

The CCC said it was assured by German officials in 2008 that the trojan would be hand-crafted to meet requirements for each case, that it would not have a backdoor to upgrade its capabilities or install more malware after the initial infection, and that it would go through exceptionally strict quality control.

That these additional capabilities had allegedly been built from the outset proved the concept of a state-endorsed trojan was unworkable.
"This [discovery] refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired," said an CCC spokesperson.

"Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."

The malware was also poorly secured, according to the CCC’s analysis of the trojan’s output. Screenshots and audio files that were sent to authorities after passing through a US data centre and were shoddily encrypted.

Commands from the control software to the trojan “are completely unencrypted” which could allow unauthorised third parties to take control of the infected computer or submit falsified information to authorities during an investigation.

"The security level this trojan leaves the infected systems in is comparable to it setting all passwords to '1234'," the CCC spokesperson said. 

Join the CSO newsletter!

Error: Please check your email address.

Tags sophosChaos Computer ClubGraham Cluley sophos security analysthacker clubskype encryptiongerman governmenttrojanmalware

More about etworkMessengerMSNSkypeSophosYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place