Chaos Computer Club Analyzes Government Malware

Discussion in 'malware problems & news' started by Searching_ _ _, Oct 8, 2011.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Chaos Computer Club Analyzes Government Malware - CCC
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    It figures. LEA has never been very good at this sort of thing (Anything other than major organizations such as the FBI and international equivalents), which is why there aren't that many of these things out there. The vast majority of departments don't even have computer crimes divisions, let alone people skilled enough to create these little gems. FCPO wouldn't be this haphazard, and most certainly BND and MAD would not.
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
  4. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Submitted has to VT and only F-Secure, Clam AV and Kaspersky detects it. It's weird Kaspersky and F-Secure name it the same do they share engines? :rolleyes:
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Lol, when only a few on VT detect it you wouldn't expect ClamAV :p Kaspersky has their own engine and F-Secure uses Bitdefender plus their own BB Deepguard.
     
  6. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    Someone commented on the Naked Security blog that there is a string 23CCC23 contained within. 23 is apparently the name of a German film about the hacker Karl Koch, who was associated with CCC. Then you have CCC in the string itself. Seems a bit strange if this is true.
     
  7. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Searching_ _ _

    Thanks for posting :thumb:

    *

    2 files in the Malware folder = mfc42ul.dll & winsys32.sys

    2.gif

    mfc42ul.dll = Properties shown as Microsoft ! Could be forged i guess ?

    micros.gif

    winsys32.sys = Properties show Unknown, not surprising really :D

    As well as the mysterious string 23CCC23, amongst lots of others, there are are also these in there

    skype.exe - seamonkey.exe - navigator.exe - opera.exe - iexplore.exe - firefox.exe

    Why only these, & what would happen if other browsers/apps were used ?

    I don't see how either/both of those files get to run without some other code as well. Be nice if someone could get them to run & anylise what happens etc :thumb:

    Anyway, according to Chaos Computer Club, there is the Actual the proof that .GOV's do actually engage in Spyware/Malware :p Not so secret now :D
     
  8. RedDawn

    RedDawn Registered Member

    Joined:
    Aug 13, 2008
    Posts:
    125
    Location:
    Ireland
    -http://www.ghacks.net/2011/10/10/detect-alleged-german-state-sponsored-trojan-on-your-pc/
     
  9. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    So is this something that they trick you into downloading and installing on your computer? How does a person get infected? Can they get an ISP to somehow send it to you?
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ RedDawn

    Thanks for the Anti-Bundestrojaner link :thumb:

    Tried to see if it detected those 2 files

    s.gif

    I put the translation in ;)

    As the files weren't running i guess it's a pass, but i "might" have expected it to detect them statically !

    @ caspian

    Yeah tricking someone could work. And if your ISP is in league etc with da Feds, then i imagine they could slip it into your data stream, somehow. But of course if you have AntiExecutable etc software installed, it would NOT get installed without you allowing it :D And you aint gonna do that now are ya ;)
     
  11. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
    It's also worth noting several AV vendors are now detecting it. Some of them even standing by their policies in favour of detecting such tactics.
     
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
  13. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
    According to an article on heise online Customs agents installed it on someone's notebook at the Munich airport. Apparently he detected this dll in his system (how he did that wasn't explained) and his lawyer gave the CCC the hard drive to examine.

    In the meantime, the Bavarian Interior Minister has admitted that this thing is their baby and a couple of other states have also admitted to using it. The federal govt. is denying any knowledge/participation/approval/whatever, laying all the blame on the states. This is not quite true since Customs is a federal agency. It should turn into quite a mess as they all attempt to weasel out of responsibility.
     
  14. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,873
  15. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Meriadoc

    Thanks for the dumdum ;)

    So it was tampered with :D

    @ Johnny123

    Thanks for the info :)

    Sneaky barstewards :eek: I didn't think of that :( If he hadn't detected the .dll in his system, they could have tracked etc him for ages ! I wonder how much data etc they got before the detection, & what ? Plenty of other people would not have noticed !
     
  16. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Oct 11, 2011
  17. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
    "It could even be used to upload falsified "evidence" against the PC's owner ... "

    Jeez! I hope the West Midlands Serious Frame Squad don't find out about this. :eek:
     
  18. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Several German states admit to use of controversial spy software
     
  19. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
  20. Johnny123

    Johnny123 Registered Member

    Joined:
    May 4, 2006
    Posts:
    548
    Location:
    Bremen, Germany
  21. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
  22. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,633
    Location:
    UK
  23. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
  24. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,028
    Location:
    Lloegyr
  25. PJC

    PJC Very Frequent Poster

    Joined:
    Feb 17, 2010
    Posts:
    2,959
    Location:
    Internet
Loading...
Thread Status:
Not open for further replies.