Hacker News new | past | comments | ask | show | jobs | submit login
German Chaos Computer Club analyzes and releases government malware (ccc.de)
360 points by venti on Oct 8, 2011 | hide | past | web | favorite | 65 comments

And it's things like that that will make even more people vote the Pirate Party.

Luckily the German public is by and large opposed to surveillance. (for historical reasons)

Opposed for historical reasons?

The fact is that the citizens of Germany, and most other Western nations formerly known as the "free world" are today under more intense surveillance than the Stasi could have ever dreamed of. The German public in general is just mildly less apathetic about this as the rest of us.

The only thing that makes a real difference in Germany is the constitutional court, that appears to suffer less from political influences than the highest courts in most other nations, and actually takes its task of protecting citizens constitutional rights very seriously.

> [western world citizens] are today under more intense surveillance than the Stasi could have ever dreamed of [...]

I keep hearing that, and I'm sorry, but it's pure sensationalist bullshit.

At the end, the Stasi employed one secret informer per ~90 citizens (!), and one official employee per ~180 citizens. That was the (proportionally) biggest secret service that ever existed. The Stasi kept tabs on more or less anything happening in the Eastern German society, down to what individual people had for lunch, and had infiltrated every organisation within its reach.

I can understand disagreement with things like this Bundestrojaner. But spouting ridiculous, sensationalist comparisons like these only harms a legitimate issue by painting its adherents as raving zealots.

I think part of this is because nowadays it requires far fewer people to keep track of the population than it did back then.

Just mining Facebook and twitter will tell you what lots of people had for lunch...

Advertising companies know everything you do online. They have "behavioral profiles" far more detailed than anything the Stasi had. We are in fact under much more surveillance, but the problem is not the government.

Oh please, the advertising profiles I've seen are only a half-notch above pure entropy. They're about as accurate as the kind of rubbish you see from sentiment analysis on tweets.

I think there's a large difference between political and business surveillance. The Stasi were used to monitor and control political thought, whereas Facebook just wants to make money off of me. What scares me is that a malevolent government could use their privately collected information in service of political suppression; they already do it for law enforcement and military purposes.

I don't fully agree with you about the political influences, at least not in Europe. Most of the high constitutional courts tends to side with privacy and protection of it and of the citizens most of the time (at least in several cases I've seen in Spain, France, Netherlands and Germany). The big issue is that nowadays our government are much better at hiding how much spying they do; most of the crazy abuses are never ever challenged in court because nobody ever bother or notice.

Especially with the relatively good European laws on the matter, most of stuff like this would lose in court but it never gets to that point because 1 - a lot of people don't want to spend the time and effort to push it to that point, 2 - with modern spying being so well hidden, people don't even notice their rights are being abused, so what would they sue for.

The latest surveys show the Pirate Party at about 8% while the FDP (the smaller one of the governing parties which got 14.6% in the state elections in 2011) is at 3%


However I don't really think that the German public is strongly opposed to surveillance, especially since the media tried making a big deal out of the few incidences where some assholes decided to beat up people on the Munich and Berlin subways lately.

The latest survey by Emnid released today shows 9% for Piratenpartei (PIRATEN):


Opposed? You might live in a different Germany than I do. The German public is mostly law and order.

Exactly. From where I'm standing it looks like "the public" is nothing short of obsessive when it comes to compliance with rules. Any rules.

Our take on this case: http://www.f-secure.com/weblog/archives/00002249.html

Also, we decided to detect it.

> Also, we decided to detect it.

How generous...

The ability of commercial anti-virus vendors to decide what end users are protected against is a good argument for open source anti-virus that crowdsources detection patterns.

This is a very good point. I have always been a bit sceptically on the anti-virus companies. The market looks a bit odd to me - different from many other software markets. A lot of regional market domination. Norton in the US, Kaspersky in the RU or ANTIVIR in GER. Looks almost like certain nations prefer having their "own" anti-virus company structures in place.

Are there any serious anti-virus open source alternatives available?

There is ClamAV, although I don't know if it supports on-access scanning these days (it always used to be manual scanning). I also don't know how the definitions are sourced.

New rule: get your AV solution from a country other than your own. That should cover most of those cases.

Unfortunately as time goes on this might be not as free-will a decision. The right of law enforcement to breach our computers for the 'good of the public' will probably only get worse.

It's already there for many unsuspecting users. You have to root your iPhone to begin to investigate what might be spying, let alone stopping it, and Apple is doing their best to make the phone unrootable. Soon it won't be (practically) possible.

And not just Apple, they're just one of the first with effective lock-in, and market-share.

Soon having programming/debugging tools could be ample evidence of intent to criminally (the only way) access a computing device.

Quality analysis by the CCC. I'm glad we have such an organization in Germany.

I wonder how they were able to make sure that it's the german government behind this. I've read the whole analysis but nothing really hinted at it.

Binaries not signed + no knowledge of how the infection is done + server in the USA which they said they didn't penetrate to look what's behind it.

I'm not doubting them, it would just be very interesting.

The first paragraph: > Dem Chaos Computer Club (CCC) wurde Schadsoftware zugespielt, deren Besitzer begründeten Anlaß zu der Vermutung hatten, daß es sich möglicherweise um einen „Bundestrojaner“ handeln könnte. Einen dieser Trojaner und dessen Funktionen beschreibt dieses Dokument, die anderen Versionen werden teilweise vergleichend hinzugezogen.

Translates to: > The Chaos Computer Club (CCC) received malware, whose owners who had reason to believe that it could possibly be the "Federal Trojan". One of these and its function is described by this document, other versions have been used for comparisons.

I guess they won't publish any more information to protect their sources.

Yea. So they got it from people who believe it might be the federal trojan. No proof.

I'm not saying it unlikely to be the federal trojan but if they had real proof, that would be so much bigger and could really damage the surveillance efforts.

We have no reason to suspect CCC's findings, but we can't confirm that this trojan was written by the German government. As far as we see, the only party that could confirm that would be the German government itself. [1]

I guess they are right. However, the features implemented in this trojan horse (Skype wiretapping, taking screenshots, keylogging, etc.) certainly look like it is to be used for general wiretapping/espionage. Additionally, CCC has obtained copies/variants(?) from several sources. If guess these were found on computers of people who have reasons to suspect the German police is spying on them. Overall, I assume that all other explanations for the existance of this software are significantly less likely than it being a police wiretapping rootkit.

Edit: FAZ (German) writes that the software was found on several harddrives that were connected to a certain police investigation. The software had been deleted from the disks but could be recovered [2]. I guess that these disks were confiscated based on search warrants and later returned to their owners. This makes me believe that the analyzed software is indeed the German police's Bundestrojaner.

[1] http://www.f-secure.com/weblog/archives/00002249.html

[2] http://www.faz.net/aktuell/chaos-computer-club-der-deutsche-...

In the meantime, several federal states have admitted to using this software. The software analyzed by the CCC had evidently been used by the Bavarian police.

Hilarious, using forensics tools to recover snooping and forensics tools.

there was a big public discussion about the government trojaner in germany. they government also has to report how often it is used. so you can be sure thats the work of some government part.

I can't follow your logic. I know about the discussion and the statistic reports but how does that proof that this every-day-trojan actually is controlled by the government?

So much win. I am really thankful that the CCC has such a strong standing in Germany. I am looking forward to the news tomorrow :)

No reason to wait, its already the FAZ top story [1]. Same with the Die Zeit [2]. Interestingly Der Spiegel has apparently not picked up the story yet.

[1] http://www.faz.net/aktuell/chaos-computer-club-der-deutsche-... [2]

Der Spiegel has now picked it up [1], but of course some people driving around in circles are more important, so it's not in the top spot on the front page :-)

[1] http://www.spiegel.de/netzwelt/netzpolitik/0,1518,790756,00....

The chancellor's press secretary denies that this malware is the Bundestrojaner, claiming that it has never been used by the BKA, the federal crime investigation department [1].

From the wording of the tweet I assume that instead some LKA (crime investigation departments on the state level) had been using the malware.

[1] http://twitter.com/#!/RegSprecher/status/123056930888491008

The press release and the analysis are unfortunately poorly written and make it appear as if a couple of overeager teenagers wrote this, although their conclusion is accurate given the information given in the analysis.

Releasing the binaries alone to back up such a statement might be good enough for the hacker community but if you want to persuade the public you need to be more professional in your choice of words.

Even though this is a great achievement and I hope that this will have significant impact.

This is the CCC, they always speak like that. I guess the media is by now used to the tone of voice.

German newspaper, clueless as ever, show a MacBook


Screenshot seems to be from a Mac but I wouldn't suppose a trojan to have a "client side" gui : )

My point was, the trojan is for Windows.

F-Secure will detect the malware according to their blog post: http://www.f-secure.com/weblog/archives/00002249.html

The wording of their "backdoor policy" is ambiguous:


"F-Secure Corporation would like to make known that we will not leave such backdoors to our F-Secure Anti-Virus products, regardless of the source of such tools. We have to draw a line with every sample we get regarding whether to detect it or not. This decision-making is influenced only by technical factors, and nothing else, but within the applicable laws and regulations, in our case meaning EU laws."

So they won't leave explicit backdoors in their software, but their decision on whether or not to detect a particular malware is influenced by EU law.

What about, then, when EU law requires them to leave an explicit backdoor?

Transparency is a top priority, otherwise we're approaching a high-tech East Germany. The group I least trust snooping on the world is the government (ie, above the law).

The title is a bit misleading. It seems this is a not a governmental malware to install on each citizen's PC. It's more a software installed on request by a judge for specific criminal cases. Looking a bit in IDA, the software is quite versatile and don't use any obfuscation techniques regularly seen in other malware. I suppose this is more and more used by the police because of the use of encryption on consumer products like Skype and other communication tools.

This might be considered proof that the found program was indeed used by the LKA Bayern.

http://ijure.org/wp/archives/727 (in german)

Probably a stupid question, but does this target Windows?

Yes, the malware described in the CCC's document is a Windows DLL file.

Yes. And why? Probably because the majority of the personal computers of German citizens use Windows as their operating system.

So, if you are in the 10% of Mac users, you are of no interest to the authorities? Quite pragmatic, I suppose.

It targets Win32.

This is actually important to note: the software depends on an unsigned 32 bit kernel module. If it were 64 bit, it would have to be signed to function, so this particular piece of malware will only work on Windows 32.

That said, there might be Bundestrojaners for 64-bit Windows. Or even entirely different operating systems.

There is one more detail hinting that this could indeed be the "Bundestrojaner". faz[1] cites a leaked offer from a German company to the authorities that, according to faz, contains exactly the characteristics found by the CCC. Even renting an "intermediate" communications server in the USA is mentioned.

The especially striking thing about this trojan is the functionality to load additional modules and go far, far beyond simple wiring tapping of (otherwise encrypted) communications (at the source) - which was the only thing that was actually approved (and the reason for this software in the first place) and it was stated clearly that the software must NOT go beyond wire tapping and technical precautions have to be taken to prevent the software from doing anything else.

Furthermore CCC's analysis showed that the part of loading additional code was actually hidden, obfuscated and spread out amongst the machine code - whereas the rest of the code was very straight forward, no obfuscations. So clearly whoever developed that thing was very aware of how illegal and unlawful that functionality is.

[1] (in German) http://www.faz.net/aktuell/feuilleton/ein-amtlicher-trojaner...

I think it's also possible that some of those safeguard provisions were left out of the software so that in case the malware was detected, it could have been attributed to standard hacker groups as opposed to German government organizations who play within a specific set of rules and regulations. Obviously, this plan failed and it has been identified as government-sponsored malware.

A standard hacker group would have working safeguards in order to remain in control. Nobody wants his carefully created botnet taken over by someone else.

Obviously each group would try, but that doesn't guarantee perfect success every time. Afterall, if every botnet were perfect, then they would never be discovered by researchers and taken down by authorities.

There is a significant difference between identification of a botnet and listening into communication, controlling it or even taking it down.

Especially the latter can be impossible to do legally if you don't manage to shut down however is controlling it.

In any case this doesn't matter because the government would have to put these safe guards in place. They cannot not implement them simply because someone might suspect the government behind it if it is detected.

Afterall, if every botnet were perfect, then they would never be discovered by researchers and taken down by authorities.

They rarely are.

This is all a steaming pile of horseshit. It won't pass proper journalism.

Unfortunately, it is, it was and it will always be necessary to spy on people who are suspicious of committing a crime. Proper surveillance has saved uncountable lives.

Years ago, police was using cameras and directional microphones. But as technology evolves, the methods to prevent crime have to envolve as well. To not allow the police to use the same technology as the criminals would actually endanger stability of the society. If you don't agree, have a look at what happened and happens in Africa all the time as an extreme example to what happens it mankind lives without proper regulations.

The key point that needs to be discussed is not whether this kind of technology should be used, it's how and who is allowed to use it. Countries need a proper separation of powers. And the use of surveillance should only under any circumstances be approved by the independed jurisdiction.

Personally, if you can get one pedophile or terrorist I wouldn't care if the whole police of Germany would share my Jena Jameson collection.

> Personally, if you can get one pedophile or terrorist I wouldn't care if the whole police of Germany would share my Jena Jameson collection.

In Germany we call this line of "argument" the "Kinderpornokeule" (which roughly translates to "Child Porn Cudgel"). I'm sick and tired of people using it, in addition to - excuse my language - retarded assertions about surveillance and law enforcement, completely unrelated bullshit that's somehow supposed to prove a nonexistent point (Africa? Seriously?) and loads and loads of FUD to make sure nobody can disagree.

To make my point a bit clearer: No amount of "but think of the children", "we need to catch the terrorists" and FUD bullshit bingo will get me to relinquish essential liberties that generations of people fought hard to obtain.

  Proper surveillance has saved uncountable lives.
I hate to do this, but: citation needed. All the camera's in London have done nothing to reduce crime or increase the amount of crimes solved.

I hate to do this, but I downvoted you because you demand evidence for one sweeping generalisation, and then proceed in the very next sentence to make a broad sweeping generalisation without providing any evidence.

I'm not saying I disagree with you, but if you are going to be confrontational then at least try not to be so blatantly hypocritical.

Well, I thought that fact was well known.

"Well knows" facts are usually anything but, and no doubt the original poster also though that "Proper surveillance has saved uncountable lives" was also a well known fact.

Those are pretty poor citations ( CNN or Bruce Schneier's personal blog are hardly reliable resources for criminology research). Most of it seems to be based on the statements of a single police officer. Schneier cites him as an authority when he agrees with him, but ignores him when he says things Schneier doesn't like . For example:

More training was needed for officers, [Detective Chief Inspector Mick Neville] said. Often they do not want to find CCTV images "because it's hard work"

Whereas Schneier states:

The solution isn't for police to watch the cameras more diligently

It's worth noting that this officer seems to be trying to get support for increased funding for his department, so his remarks need to be taken in that context.

As I said before I don't disagree with you that CCTV is probably a waste of money, but that it has done "nothing" to decrease or help solve crimes is not what studies have found. There also seems to be a large geographical/cultural factor.


Effects of Closed-Circuit Television on Crime

This article reports on the findings of a systematic review--incorporating meta-analytic techniques--of the available research evidence on the effects of closed-circuit television (CCTV) on crime in public space. A number of targeted and comprehensive searches of the published and unpublished literature and contacts with leading researchers produced twenty-two CCTV evaluations that met our criteria for inclusion in this review. CCTV had a significant desirable effect on crime, although the overall reduction in crime was a rather small 4 percent. All nine studies showing evidence of a desirable effect of CCTV on crime were carried out in the United Kingdom. Conversely, the other nine studies showing no evidence of any desirable effect of CCTV on crime included all five North American studies. CCTV was most effective in reducing crime in car parks. It had no effect on violent crimes but had a significant desirable effect on vehicle crimes.

Crime reduction is also not the only possible effect of CCTV: http://eab.sagepub.com/content/41/1/60.abstract

The Eye of the Camera Effects of Security Cameras on Prosocial Behavior

This study addresses the effects of security cameras on prosocial behavior. Results from previous studies indicate that the presence of others can trigger helping behavior, arising from the need for approval of others. Extending these findings, the authors propose that security cameras can likewise trigger such approval-seeking behaviors by implying the presence of a watchful eye. Because people vary in the extent to which they strive for others' approval, it was expected that the effects of security cameras on prosocial behavior vary with participants' need for approval. To test these predictions, an experimental study was conducted with “presence of security camera” and “need for approval” as independent variables. Results showed that participants indeed offered more help in the presence of a security camera but only to the extent that this helping involved public or observable behavior. As expected, this effect was more pronounced for individuals high in need for approval. Practical implications and suggestions for future research are discussed.

Now of course there is a question about whether we should be trying to manipulate people in these ways, and whether it is worth it given the costs (reduction in freedom, financial, potential for abuse etc), but I don't think we can have that debate unless we at least attempt to find out what the impacts on crime are (rather than just cherry picking like Schneier does). You can make the argument that the impact on crime is irrelevant; the cost of reduced freedom is just too great. That's a fine argument, but some people seem reluctant to actually make it, instead hiding behind vague and unsubstantiated arguments about crime rates (crime statistics are notoriously unreliable and open to manipulation).

Anyway, we are getting waaaaay off-topic here.

  Personally, if you can get one pedophile or terrorist I
  wouldn't care if the whole police of Germany would share my
  Jena Jameson collection.
But what else are you willing to sacrifice to allow that? If you placed everyone under permanent house arrest you'd eliminate almost all crime. So why not do that?

Even the CCC agrees that wiretapping is necessary for catching criminals. They actually warned the police about the upcoming disclosure so that running investigations would not be jeopardized.

The issue here is that this malware obviously exceeds the limits that the German Federal Constitutional Court explicitly set for such tools.

For example, anyone can upload and run arbitrary files on the victim's computer - prosecutors but also anyone who knows the computer's IP address. This allows tampering with evidence.

Additionally, not only actual communication is captured but everything you do in a browser window, e.g., writing your diary on Google Docs. Obtaining such information would legally require a search warrant. This means that police can escalate their privileges without judicial oversight.

And finally, all captured information is sent to a server in the USA, clearly outside of German jurisdiction. Weakly encrypted. Together with the previously mentioned problems, this would allow the USA to ask the German police to monitor a suspected terrorist, then siphon off the wiretapping results and even place incriminating data on the victim's computer. Of course, the CIA would never do such a thing.

The question here is not whether the police may use wiretaps, the question is whether the police [1] may systematically break the law and lie to the public and courts about what they actually can do.

[1] of course, the police in this context means only certain representatives and departments.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact