Chaos Computer Club Analyzes Government Malware

Chaos Computer Club Analyzes Government Malware - CCC

 

It figures. LEA has never been very good at this sort of thing (Anything other than major organizations such as the FBI and international equivalents), which is why there aren't that many of these things out there. The vast majority of departments don't even have computer crimes divisions, let alone people skilled enough to create these little gems. FCPO wouldn't be this haphazard, and most certainly BND and MAD would not.

 

String inside

Backdoor:W32/R2D2.A

 

Submitted has to VT and only F-Secure, Clam AV and Kaspersky detects it. It's weird Kaspersky and F-Secure name it the same do they share engines?

 

Lol, when only a few on VT detect it you wouldn't expect ClamAV Kaspersky has their own engine and F-Secure uses Bitdefender plus their own BB Deepguard.

 

Someone commented on the Naked Security blog that there is a string 23CCC23 contained within. 23 is apparently the name of a German film about the hacker Karl Koch, who was associated with CCC. Then you have CCC in the string itself. Seems a bit strange if this is true.

 

@ Searching_ _ _

Thanks for posting

*

2 files in the Malware folder = mfc42ul.dll & winsys32.sys



mfc42ul.dll = Properties shown as Microsoft ! Could be forged i guess ?



winsys32.sys = Properties show Unknown, not surprising really

As well as the mysterious string 23CCC23, amongst lots of others, there are are also these in there

skype.exe - seamonkey.exe - navigator.exe - opera.exe - iexplore.exe - firefox.exe

Why only these, & what would happen if other browsers/apps were used ?

I don't see how either/both of those files get to run without some other code as well. Be nice if someone could get them to run & anylise what happens etc

Anyway, according to Chaos Computer Club, there is the Actual the proof that .GOV's do actually engage in Spyware/Malware Not so secret now

 

-http://www.ghacks.net/2011/10/10/detect-alleged-german-state-sponsored-trojan-on-your-pc/

 

So is this something that they trick you into downloading and installing on your computer? How does a person get infected? Can they get an ISP to somehow send it to you?

 

@ RedDawn

Thanks for the Anti-Bundestrojaner link

Tried to see if it detected those 2 files



I put the translation in

As the files weren't running i guess it's a pass, but i "might" have expected it to detect them statically !

@ caspian

Yeah tricking someone could work. And if your ISP is in league etc with da Feds, then i imagine they could slip it into your data stream, somehow. But of course if you have AntiExecutable etc software installed, it would NOT get installed without you allowing it And you aint gonna do that now are ya

 

It's also worth noting several AV vendors are now detecting it. Some of them even standing by their policies in favour of detecting such tactics.

 

addendum

 

According to an article on heise online Customs agents installed it on someone's notebook at the Munich airport. Apparently he detected this dll in his system (how he did that wasn't explained) and his lawyer gave the CCC the hard drive to examine.

In the meantime, the Bavarian Interior Minister has admitted that this thing is their baby and a couple of other states have also admitted to using it. The federal govt. is denying any knowledge/participation/approval/whatever, laying all the blame on the states. This is not quite true since Customs is a federal agency. It should turn into quite a mess as they all attempt to weasel out of responsibility.

 

"Come into my parlour, said the spider to the fly" - The Spider and the Fly by (Mary Howitt) http://en.wikipedia.org/wiki/The_Spider_and_the_Fly_(poem)

No way José...

 

@ Meriadoc

Thanks for the dumdum

So it was tampered with

@ Johnny123

Thanks for the info

Sneaky barstewards I didn't think of that If he hadn't detected the .dll in his system, they could have tracked etc him for ages ! I wonder how much data etc they got before the detection, & what ? Plenty of other people would not have noticed !

 

A word from ESET on the German policeware Some FAQ's on the R2D2 Trojan from Sophos

• German Minister Wants Investigation of State Authorities’ Use of Spyware

Note folks, this is a developing story.

 

"It could even be used to upload falsified "evidence" against the PC's owner ... "

Jeez! I hope the West Midlands Serious Frame Squad don't find out about this.

 

Several German states admit to use of controversial spy software

 

The Dutch government has also bought this spyware:
https://secure.security.nl/artikel/38803/1/Nederlandse_politie_kocht_Duitse_spionagesoftware.html

 

Cool, a Bondstrojan. Maybe it's good that this happened and was discovered, there's a chance that some people might start to wake up. Our govt. here has had the masses trained to the old tune of "nothing to hide, nothing to fear".

 

It looks like MSE should be able to detect Backdoor:Win32/R2d2.A according to Microsoft's Malware Protection Centre.

 

Additional info from F-Secure: http://www.f-secure.com/weblog/archives/00002250.html

 

Anti-virus software fails to deal with government trojan...

http://www.h-online.com/security/ne...s-to-deal-with-government-trojan-1360015.html

 

German states defend use of 'Federal Trojan' Skype-snooping Bundestrojaner legal, insists gov

"Local government officials said the Trojan was used within the law, contrary to CCC's claims."

 

The Federal Trojan Background and a statement from Emsisoft