Chaos Computer Club Analyzes Government Malware

Searching_ _ _ · Oct 19, 2011

About two weeks ago, the German Chaos Computer Club (CCC) has published an analysis report of a backdoor trojan that they claim had been used by German police during investigations in order to capture VoIP and IM communication on a suspect's PC. Our friends over at F-Secure published a blog post last week where they wrote about another file that, according to them, seemed to be the dropper component of the trojan. They were kind enough to share the MD5 hash of the file, so we could pull it from our collection. Stefan and I took a closer look.

The dropper carries five other binaries in its resource table, so there are six components in total – each with a different purpose – all of which have been analyzed by us. Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows. Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.
Click to expand...

Federal Trojan's got a "Big Brother" - SecureList

Noob · Oct 19, 2011

Interesting and was nice to read a few articles
Glad to know AV companies don't care for a heck but i guess that won't last forever.

J_L · Oct 21, 2011

What an obvious development finally in light.

noone_particular · Oct 22, 2011

Another good reason to stop relying on AVs, cloud based or not.

h-online said:

Even as late as Saturday morning, not a single AV program recognised the files as a threat. Now, most programs issue an alert along the lines of "backdoor.R2D2" when they encounter one of the files that were released by the CCC. This is intended as a measure to boost users' confidence.
However, a test conducted by The H's associates at heise Security on Monday found that programs such as Ikarus, Panda, Trend Micro and McAfee stopped issuing alerts as soon as even a minimal change was made to the file. The testers simply replaced the capital O in the "DOS" string with a small o. While McAfee identified the mfc42ul.dll file as Artemis!930712416770 before the modification was made, it remained silent afterwards.
The fact that three of the most prominent promoters of "in-the-cloud" detection should get caught out is no coincidence, because primitive cloud detection mechanisms only use the hash values of the files in question. These values change when only a single bit is modified in a file.
Click to expand...

This is one "official" app from one country, just the tip of the iceberg. It's a safe bet that there are many more, probably better written. A properly implemented default-deny policy would not only stop it from running or being installed, it would have logged the event. Such logs could be quite useful if the tampering was found to be illegal.

siljaline · Oct 23, 2011

A thread from the ESET board that may be of use in this post.

siljaline · Oct 26, 2011

From H-Online

The CCC (Chaos Computer Club) has analysed the more recent version of Digitask's German government trojan that was was discovered by Kaspersky. This version dates back to December 2010 and has not yet been associated with an actual case. The analysis focused on the improvements that were made to fix the previous version's weaknesses, and on the postulated "audit-proof logging" of all activities.
Click to expand...

Full Article

Log in or Sign up

Chaos Computer Club Analyzes Government Malware

Searching_ _ _ Registered Member

Noob Registered Member

J_L Registered Member

noone_particular Registered Member

siljaline Registered Member

siljaline Registered Member

Log in or Sign up

Chaos Computer Club Analyzes Government Malware

Searching_ _ _ Registered Member

Noob Registered Member

J_L Registered Member

noone_particular Registered Member

siljaline Registered Member

siljaline Registered Member

Useful Searches