

German Chaos Computer Club analyzes and releases government malware - venti
http://www.ccc.de/en/updates/2011/staatstrojaner
From the press release: "The largest European hacker club, "Chaos Computer Club" (CCC), has reverse engineered and analyzed a "lawful interception" malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet."
======
scrrr
And it's things like that that will make even more people vote the Pirate
Party.

Luckily the German public is by and large opposed to surveillance. (for
historical reasons)

~~~
rickmb
Opposed for historical reasons?

The fact is that the citizens of Germany, and most other Western nations
formerly known as the "free world" are today under more intense surveillance
than the Stasi could have ever dreamed of. The German public in general is
just mildly less apathetic about this as the rest of us.

The only thing that makes a real difference in Germany is the constitutional
court, that appears to suffer less from political influences than the highest
courts in most other nations, and actually takes its task of protecting
citizens constitutional rights very seriously.

~~~
Nitramp
> [western world citizens] are today under more intense surveillance than the
> Stasi could have ever dreamed of [...]

I keep hearing that, and I'm sorry, but it's pure sensationalist bullshit.

At the end, the Stasi employed one secret informer per ~90 citizens (!), and
one official employee per ~180 citizens. That was the (proportionally) biggest
secret service that ever existed. The Stasi kept tabs on more or less anything
happening in the Eastern German society, down to what individual people had
for lunch, and had infiltrated every organisation within its reach.

I can understand disagreement with things like this Bundestrojaner. But
spouting ridiculous, sensationalist comparisons like these only harms a
legitimate issue by painting its adherents as raving zealots.

~~~
fl3tch
Advertising companies know everything you do online. They have "behavioral
profiles" far more detailed than anything the Stasi had. We are in fact under
much more surveillance, but the problem is not the government.

~~~
msy
Oh please, the advertising profiles I've seen are only a half-notch above pure
entropy. They're about as accurate as the kind of rubbish you see from
sentiment analysis on tweets.

------
mikkohypponen
Our take on this case: <http://www.f-secure.com/weblog/archives/00002249.html>

Also, we decided to detect it.

~~~
stfu
> Also, we decided to detect it.

How generous...

~~~
mcantelon
The ability of commercial anti-virus vendors to decide what end users are
protected against is a good argument for open source anti-virus that
crowdsources detection patterns.

~~~
stfu
This is a very good point. I have always been a bit sceptically on the anti-
virus companies. The market looks a bit odd to me - different from many other
software markets. A lot of regional market domination. Norton in the US,
Kaspersky in the RU or ANTIVIR in GER. Looks almost like certain nations
prefer having their "own" anti-virus company structures in place.

Are there any serious anti-virus open source alternatives available?

~~~
keeperofdakeys
There is ClamAV, although I don't know if it supports on-access scanning these
days (it always used to be manual scanning). I also don't know how the
definitions are sourced.

------
mrich
Quality analysis by the CCC. I'm glad we have such an organization in Germany.

------
eis
I wonder how they were able to make sure that it's the german government
behind this. I've read the whole analysis but nothing really hinted at it.

Binaries not signed + no knowledge of how the infection is done + server in
the USA which they said they didn't penetrate to look what's behind it.

I'm not doubting them, it would just be very interesting.

~~~
DasIch
The first paragraph: > Dem Chaos Computer Club (CCC) wurde Schadsoftware
zugespielt, deren Besitzer begründeten Anlaß zu der Vermutung hatten, daß es
sich möglicherweise um einen „Bundestrojaner“ handeln könnte. Einen dieser
Trojaner und dessen Funktionen beschreibt dieses Dokument, die anderen
Versionen werden teilweise vergleichend hinzugezogen.

Translates to: > The Chaos Computer Club (CCC) received malware, whose owners
who had reason to believe that it could possibly be the "Federal Trojan". One
of these and its function is described by this document, other versions have
been used for comparisons.

I guess they won't publish any more information to protect their sources.

~~~
eis
Yea. So they got it from people who _believe_ it _might_ be the federal
trojan. No proof.

I'm not saying it unlikely to be the federal trojan but if they had real
proof, that would be so much bigger and could really damage the surveillance
efforts.

~~~
raphman
_We have no reason to suspect CCC's findings, but we can't confirm that this
trojan was written by the German government. As far as we see, the only party
that could confirm that would be the German government itself._ [1]

I guess they are right. However, the features implemented in this trojan horse
(Skype wiretapping, taking screenshots, keylogging, etc.) certainly look like
it is to be used for general wiretapping/espionage. Additionally, CCC has
obtained copies/variants(?) from several sources. If guess these were found on
computers of people who have reasons to suspect the German police is spying on
them. Overall, I assume that all other explanations for the existance of this
software are significantly less likely than it being a police wiretapping
rootkit.

 __Edit: __FAZ (German) writes that the software was found on several
harddrives that were connected to a certain police investigation. The software
had been deleted from the disks but could be recovered [2]. I guess that these
disks were confiscated based on search warrants and later returned to their
owners. This makes me believe that the analyzed software is indeed the German
police's _Bundestrojaner_.

[1] <http://www.f-secure.com/weblog/archives/00002249.html>

[2] [http://www.faz.net/aktuell/chaos-computer-club-der-
deutsche-...](http://www.faz.net/aktuell/chaos-computer-club-der-deutsche-
staatstrojaner-wurde-geknackt-11486538.html)

~~~
raphman
In the meantime, several federal states have admitted to using this software.
The software analyzed by the CCC had evidently been used by the Bavarian
police.

------
xerxes2001
So much win. I am really thankful that the CCC has such a strong standing in
Germany. I am looking forward to the news tomorrow :)

~~~
FrojoS
No reason to wait, its already the FAZ top story [1]. Same with the Die Zeit
[2]. Interestingly Der Spiegel has apparently not picked up the story yet.

[1] [http://www.faz.net/aktuell/chaos-computer-club-der-
deutsche-...](http://www.faz.net/aktuell/chaos-computer-club-der-deutsche-
staatstrojaner-wurde-geknackt-11486538.html) [2]

~~~
perlgeek
Der Spiegel has now picked it up [1], but of course some people driving around
in circles are more important, so it's not in the top spot on the front page
:-)

[1]
[http://www.spiegel.de/netzwelt/netzpolitik/0,1518,790756,00....](http://www.spiegel.de/netzwelt/netzpolitik/0,1518,790756,00.html)

------
raphman
The chancellor's press secretary denies that this malware is the
_Bundestrojaner_ , claiming that it has never been used by the BKA, the
federal crime investigation department [1].

From the wording of the tweet I assume that instead some LKA (crime
investigation departments on the state level) had been using the malware.

[1] <http://twitter.com/#!/RegSprecher/status/123056930888491008>

------
DasIch
The press release and the analysis are unfortunately poorly written and make
it appear as if a couple of overeager teenagers wrote this, although their
conclusion is accurate given the information given in the analysis.

Releasing the binaries alone to back up such a statement might be good enough
for the hacker community but if you want to persuade the public you need to be
more professional in your choice of words.

Even though this is a great achievement and I hope that this will have
significant impact.

~~~
Nitramp
This is the CCC, they always speak like that. I guess the media is by now used
to the tone of voice.

------
Uchikoma
German newspaper, clueless as ever, show a MacBook

[http://www.faz.net/polopoly_fs/1.1486520.1318104289!/image/3...](http://www.faz.net/polopoly_fs/1.1486520.1318104289!/image/3251345485.jpg_gen/derivatives/default/3251345485.jpg)

~~~
eitland
Screenshot seems to be from a Mac but I wouldn't suppose a trojan to have a
"client side" gui : )

~~~
Uchikoma
My point was, the trojan is for Windows.

------
hukl
F-Secure will detect the malware according to their blog post:
<http://www.f-secure.com/weblog/archives/00002249.html>

~~~
kstenerud
The wording of their "backdoor policy" is ambiguous:

<http://www.f-secure.com/virus-info/bdtp.shtml>

"F-Secure Corporation would like to make known that we will not leave such
backdoors to our F-Secure Anti-Virus products, regardless of the source of
such tools. We have to draw a line with every sample we get regarding whether
to detect it or not. This decision-making is influenced only by technical
factors, and nothing else, but within the applicable laws and regulations, in
our case meaning EU laws."

So they won't leave explicit backdoors in their software, but their decision
on whether or not to detect a particular malware is influenced by EU law.

~~~
wnight
What about, then, when EU law requires them to leave an explicit backdoor?

Transparency is a top priority, otherwise we're approaching a high-tech East
Germany. The group I least trust snooping on the world is the government (ie,
above the law).

------
adulau
The title is a bit misleading. It seems this is a not a governmental malware
to install on each citizen's PC. It's more a software installed on request by
a judge for specific criminal cases. Looking a bit in IDA, the software is
quite versatile and don't use any obfuscation techniques regularly seen in
other malware. I suppose this is more and more used by the police because of
the use of encryption on consumer products like Skype and other communication
tools.

------
biafra
This might be considered proof that the found program was indeed used by the
LKA Bayern.

<http://ijure.org/wp/archives/727> (in german)

------
Joeboy
Probably a stupid question, but does this target Windows?

~~~
Luyt
Yes. And why? Probably because the majority of the personal computers of
German citizens use Windows as their operating system.

~~~
sunchild
So, if you are in the 10% of Mac users, you are of no interest to the
authorities? Quite pragmatic, I suppose.

------
kahawe
There is one more detail hinting that this could indeed be the
"Bundestrojaner". faz[1] cites a leaked offer from a German company to the
authorities that, according to faz, contains exactly the characteristics found
by the CCC. Even renting an "intermediate" communications server in the USA is
mentioned.

The especially striking thing about this trojan is the functionality to load
additional modules and go far, far beyond simple wiring tapping of (otherwise
encrypted) communications (at the source) - which was the only thing that was
actually approved (and the reason for this software in the first place) and it
was stated clearly that the software must NOT go beyond wire tapping and
technical precautions have to be taken to prevent the software from doing
anything else.

Furthermore CCC's analysis showed that the part of loading additional code was
actually hidden, obfuscated and spread out amongst the machine code - whereas
the rest of the code was very straight forward, no obfuscations. So clearly
whoever developed that thing was very aware of how illegal and unlawful that
functionality is.

[1] (in German) [http://www.faz.net/aktuell/feuilleton/ein-amtlicher-
trojaner...](http://www.faz.net/aktuell/feuilleton/ein-amtlicher-trojaner-
anatomie-eines-digitalen-ungeziefers-11486473.html)

------
canistr
I think it's also possible that some of those safeguard provisions were left
out of the software so that in case the malware was detected, it could have
been attributed to standard hacker groups as opposed to German government
organizations who play within a specific set of rules and regulations.
Obviously, this plan failed and it has been identified as government-sponsored
malware.

~~~
DasIch
A standard hacker group would have working safeguards in order to remain in
control. Nobody wants his carefully created botnet taken over by someone else.

~~~
canistr
Obviously each group would try, but that doesn't guarantee perfect success
every time. Afterall, if every botnet were perfect, then they would never be
discovered by researchers and taken down by authorities.

~~~
DasIch
There is a significant difference between identification of a botnet and
listening into communication, controlling it or even taking it down.

Especially the latter can be impossible to do legally if you don't manage to
shut down however is controlling it.

In any case this doesn't matter because the government would have to put these
safe guards in place. They cannot not implement them simply because someone
might suspect the government behind it if it is detected.

------
mrpixel
This is all a steaming pile of horseshit. It won't pass proper journalism.

------
Knack
Unfortunately, it is, it was and it will always be necessary to spy on people
who are suspicious of committing a crime. Proper surveillance has saved
uncountable lives.

Years ago, police was using cameras and directional microphones. But as
technology evolves, the methods to prevent crime have to envolve as well. To
not allow the police to use the same technology as the criminals would
actually endanger stability of the society. If you don't agree, have a look at
what happened and happens in Africa all the time as an extreme example to what
happens it mankind lives without proper regulations.

The key point that needs to be discussed is not whether this kind of
technology should be used, it's how and who is allowed to use it. Countries
need a proper separation of powers. And the use of surveillance should only
under any circumstances be approved by the independed jurisdiction.

Personally, if you can get one pedophile or terrorist I wouldn't care if the
whole police of Germany would share my Jena Jameson collection.

~~~
Confusion

      Proper surveillance has saved uncountable lives.
    

I hate to do this, but: citation needed. All the camera's in London have done
nothing to reduce crime or increase the amount of crimes solved.

~~~
anon1385
I hate to do this, but I downvoted you because you demand evidence for one
sweeping generalisation, and then proceed in the very next sentence to make a
broad sweeping generalisation without providing any evidence.

I'm not saying I disagree with you, but if you are going to be confrontational
then at least try not to be so blatantly hypocritical.

~~~
Confusion
Well, I thought that fact was well known. It has been extensively covered by
the media. [1][2][3]

[1]
[http://www.schneier.com/blog/archives/2008/05/londons_camera...](http://www.schneier.com/blog/archives/2008/05/londons_cameras_1.html)

[2]
[http://articles.cnn.com/2010-02-25/opinion/schneier.security...](http://articles.cnn.com/2010-02-25/opinion/schneier.security.cameras_1_cameras-
cctv-footage-police-officer?_s=PM:OPINION)

[3] <http://www.google.nl/search?q=london+cameras+reduce+crime>

~~~
anon1385
_Well, I thought that fact was well known._

"Well knows" facts are usually anything but, and no doubt the original poster
also though that "Proper surveillance has saved uncountable lives" was also a
well known fact.

Those are pretty poor citations ( CNN or Bruce Schneier's personal blog are
hardly reliable resources for criminology research). Most of it seems to be
based on the statements of a single police officer. Schneier cites him as an
authority when he agrees with him, but ignores him when he says things
Schneier doesn't like . For example:

 _More training was needed for officers, [Detective Chief Inspector Mick
Neville] said. Often they do not want to find CCTV images "because it's hard
work"_

Whereas Schneier states:

 _The solution isn't for police to watch the cameras more diligently_

It's worth noting that this officer seems to be trying to get support for
increased funding for his department, so his remarks need to be taken in that
context.

As I said before I don't disagree with you that CCTV is probably a waste of
money, but that it has done "nothing" to decrease or help solve crimes is not
what studies have found. There also seems to be a large geographical/cultural
factor.

<http://ann.sagepub.com/content/587/1/110.short>

 _Effects of Closed-Circuit Television on Crime_

 _This article reports on the findings of a systematic review--incorporating
meta-analytic techniques--of the available research evidence on the effects of
closed-circuit television (CCTV) on crime in public space. A number of
targeted and comprehensive searches of the published and unpublished
literature and contacts with leading researchers produced twenty-two CCTV
evaluations that met our criteria for inclusion in this review. CCTV had a
significant desirable effect on crime, although the overall reduction in crime
was a rather small 4 percent. All nine studies showing evidence of a desirable
effect of CCTV on crime were carried out in the United Kingdom. Conversely,
the other nine studies showing no evidence of any desirable effect of CCTV on
crime included all five North American studies. CCTV was most effective in
reducing crime in car parks. It had no effect on violent crimes but had a
significant desirable effect on vehicle crimes._

Crime reduction is also not the only possible effect of CCTV:
<http://eab.sagepub.com/content/41/1/60.abstract>

_The Eye of the Camera Effects of Security Cameras on Prosocial Behavior_

 _This study addresses the effects of security cameras on prosocial behavior.
Results from previous studies indicate that the presence of others can trigger
helping behavior, arising from the need for approval of others. Extending
these findings, the authors propose that security cameras can likewise trigger
such approval-seeking behaviors by implying the presence of a watchful eye.
Because people vary in the extent to which they strive for others' approval,
it was expected that the effects of security cameras on prosocial behavior
vary with participants' need for approval. To test these predictions, an
experimental study was conducted with “presence of security camera” and “need
for approval” as independent variables. Results showed that participants
indeed offered more help in the presence of a security camera but only to the
extent that this helping involved public or observable behavior. As expected,
this effect was more pronounced for individuals high in need for approval.
Practical implications and suggestions for future research are discussed._

Now of course there is a question about whether we _should_ be trying to
manipulate people in these ways, and whether it is worth it given the costs
(reduction in freedom, financial, potential for abuse etc), but I don't think
we can have that debate unless we at least attempt to find out what the
impacts on crime are (rather than just cherry picking like Schneier does). You
can make the argument that the impact on crime is irrelevant; the cost of
reduced freedom is just too great. That's a fine argument, but some people
seem reluctant to actually make it, instead hiding behind vague and
unsubstantiated arguments about crime rates (crime statistics are notoriously
unreliable and open to manipulation).

Anyway, we are getting waaaaay off-topic here.

