Forgot your password?
typodupeerror
Government Privacy Security Your Rights Online

German Government's Malware Analyzed 162

Posted by timothy
from the unter-dem-mikroskop dept.
First time accepted submitter lennier1 writes "The German hacker group CCC (Chaos Computer Club) has analyzed a piece of malware the German government uses in criminal investigations to spy on a suspect's computer. I'm sure we're all surprised that it's opening security holes for third parties, and violates a related court verdict (and several laws in general)."
This discussion has been archived. No new comments can be posted.

German Government's Malware Analyzed

Comments Filter:
  • by esocid (946821)
    You want competant surveillance too? Sheesh, so demanding.
    I'll go ahead and throw out the "if you've got nothing to hide" out there too, and see how this gets modded.
  • I'm sure we're all surprised that it's opening security holes for third parties, and violates a related court verdict

    This must be some new meaning for the word "all" that I have not come across before. Because it implies that "all" means a vanishingly small fraction of the population.

    • by Shoe Puppet (1557239) on Saturday October 08, 2011 @04:46PM (#37650038)

      /etc/init.d/sarcasm start

      • by ae1294 (1547521)

        sudo /etc/init.d/sarcasm start

        • by cynyr (703126)

          lol, i love the ubuntu people, that don't know they can just log in as root to do a bunch of things and then log out...

          sudo foo
          sudo bar
          sudo start foo
          sudo start bar

          su -
          foo
          bar
          start foo
          start bar
          exit

          • Actually, in Ubuntu that should be "sudo su" as the first command...
            • by allo (1728082)

              no. its just "sudo -s". "sudo su" is for people who cannot read manpages.

              • by pizzap (1253052)

                you may use sudo -i as well.

              • No, sudo su is for people who have a random or unknown root password, but have full sudo capabilities.

      • by Smallpond (221300)

        /etc/init.d/sarcasm start

        Please. It used to be service sarcasm start but we've switched to systemctl start sarcasm.service now.

        • /etc/init.d/sarcasm start

          Please. It used to be service sarcasm start but we've switched to systemctl start sarcasm.service now.

          I use Windows. I don't know how to be sarcastic.

          • by awehttam (779031)
            net start sarcasm
      • #!/bin/bash
        if [[ -z $1 ]]; then
        echo "Usage: ${0##*/} (stop|start|restart) [daemon]"
        exit 1
        fi
        if [[ -z $2 ]]; then
        d=sarcasm
        else
        d=$2
        fi
        case $(</proc/1/comm) in
        systemd)
        systemctl $1 $d.service
        ;;
        upstart)
        service $d $1
        ;;
        rinit)
        sv $1 $d
        ;;
  • I think there is something we don't know about. If they really got "official" version, then I am expecting that many heads in German federal government will fall.
    • by plover (150551) *

      I think you are overly optimistic about the ability of most governments to correct their own abuses of power. I doubt they'll fire anyone or even stop using the Trojan, they'll just have someone correct some of the deficiencies the CCC found.

      At the most, they may take the Undersecretary for Purposes of Scapegoating out and publicly fire him. They might terminate the contract with the software company who developed it. But don't expect "many heads" to roll.

    • by Anonymous Coward

      Unfortunately crass incompetence and general disregard for laws only means the persons responsible will fall UP the promotion ladder. The more you fuck up, the higher you get. The ruling class cannot do wrong. "Du bist Deutschland!"

    • by Issarlk (1429361)
      We are talking about beeping computer with blinking lights in front of strange guys with big glasses typing on keyboard as big 3D skulls rotate over a password form... in the imagination of anyone high enough to fire them. They'll probably shrug and just ask them to hire a goth girl to enhance the security of the encryption channel so that they don't get their computers fried in a deluge of sparks if the bad guys squeeze through the security holes".
    • by barv (1382797)
      More likely than federal public servants being sacked for wrongdoing is a witch hunt to find out who leaked the binary. Oh and also an attempt will be made to hire a proper programmer in place of their script kiddy.
      • It wasn't "leaked". It was handed over to the CCC by a lawyer. He defended a guy in court which the malware was used against to collect evidence.

    • by ultranova (717540)

      I think there is something we don't know about. If they really got "official" version, then I am expecting that many heads in German federal government will fall.

      Yeah. A country that was mentored by both Hitler and Stalin really has no excuse for incompetence in this area.

    • by t2t10 (1909766)

      I seriously doubt it. Since WWII, German governments have gotten away with a lot, including massive surveillance and widespread invasions of privacy. Germans just don't care.

  • by Dunbal (464142) * on Saturday October 08, 2011 @04:51PM (#37650076)
    Can this trojan upload child pornography (or any other incriminating files/images) to the suspects computer, to be collected as "evidence" at a later date? I suspect it can. And if this program can uninstall itself at a later date, then this is a perfect tool for "bring him in, boys". Oh George Orwell, how foresighted you were.
    • by jeti (105266) on Saturday October 08, 2011 @05:41PM (#37650362) Homepage

      Yes. It contains filedropper functionality. Like most malware, it can download and execute additional applications thereby extending its functionality and it can place documents on the infected PC.

  • by Anonymous Coward

    Communication uses the fixed banner string "C3PO-r2d2-POE" as handshake.
    So, this could be the trojan we're looking for.

    Also, the code contains a function called "_0zapftis_le_execute()".
    "O'zapt is!" is the traditional opening phrase of the Munich October/Beer Festival, where the mayor taps the first barrel of beer with a hammer.

    Source: http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf

    • Communication uses the fixed banner string "C3PO-r2d2-POE" as handshake. So, this could be the trojan we're looking for.

      Also, the code contains a function called "_0zapftis_le_execute()". "O'zapt is!" is the traditional opening phrase of the Munich October/Beer Festival, where the mayor taps the first barrel of beer with a hammer.

      Source: http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf [www.ccc.de]

      What does the "POE" mean? Porn Over Ethernet?

      • by Anonymous Coward

        Correct. "O'zapft is" is Bavarian for "it's tapped".

      • by Anonymous Coward

        The *disassembly* produced by CCC contains those function names. The report mentions near the beginning that all the code is in a DLL without any exported symbols, so that name was picked by the people doing the disassembling; it's not from the original code.

    • They better be prepared for the cease and desist order from LucasFilm.

  • by Anonymous Coward

    How can the US government keep doing stuff like ... what, it isn't the US government? Then it must be for the good of the country since only the US does stuff like this with anything other than good intentions, carry on.

    • How can the US government keep doing stuff like ... what, it isn't the US government? Then it must be for the good of the country since only the US does stuff like this with anything other than good intentions, carry on.

      No, we're just the only ones that every one likes to complain about, or maybe we just get caught more often. I don't know, but it's not like every government on Earth doesn't do things like this, to one degree or another.

      • by chrb (1083577)
        Of course they do, and it has a name: Lawful interception. [wikipedia.org] Support for lawful interception is built in to telephone exchanges, network switches etc. When it's used to eavesdrop on terrorists and drug dealers, then people like it. When it's used to eavesdrop on everyone, then people dislike it. Somewhere inbetween there is a vast land where some approve, some disapprove, and many don't care.

        [NB: The German constitutional court ruled that there is a sphere of privacy that is afforded total protection and can never be breached, no matter for what reason, for example keeping a diary or husband and wife talking in the bedroom.

        That is very interesting: even during a criminal terrorism investigation, a suspect's personal notes and diary are lega

        • by t2t10 (1909766)

          Of course they do, and it has a name: Lawful interception

          Lawful interception requires a court order in the US. In Germany, it's a judgment call by the police, controlled only by internal reviews.

          That is very interesting: even during a criminal terrorism investigation, a suspect's personal notes and diary are legally protected.

          That's protection against investigation by the police, enforced largely by internal reviews. It isn't protection against intelligence services or state security services, and even fo

    • The US are just bigger, that's why we hear a lot more about the US than any other country. And only 'cause it's hard to hear anything from Russia, and don't start me on China.

      Government all over the planets managed to slip past the point where they're corrupt to the bone. I miss the Soviet Union. As long as it existed, our politicians at least had to pretend they're the good guys.

  • by Anonymous Coward

    i have read the report linked to in the article. This report is written in german. Nothing hints in the binary itself that this is the "real thing". The analyzed binary is a windows-DLL with out exported functions. The C&C server the trojan is 207.158.22.134, which is allocated to Web Intellects in Columbus, Ohio, USA. The connection to the german government is only hearsay for now, we have to believe in it.

    • by agw (6387)
      Looks like they got it from people who got their computers back after they were busted?
  • Yes, you too can foster Total Political Disintegration (Normal Mode), Totalitarian Rule (Easy Mode), New Nazi Order (Hard Mode), or Common Sense Government (Insane Mode) by pitting the various German political factions against one another via clever remote control of their computers at home and in the office!

    Game Play includes: That's Not My Porn and Child Porn Prisoner internet insertion features, send copies of incriminating e-mails to political rivals and international newspapers, bonus mod features to h

  • I'm sure we're all surprised that it's opening security holes for third parties, and violates a related court verdict (and several laws in general)."

    ... nope, not at all surprised.

  • by BitterKraut (820348) on Saturday October 08, 2011 @06:15PM (#37650592)
    The Chaos Computer Club is probably not adequately characterized as a 'hacker group'. It was founded in 1981 as a computer club and, while hacking has always been their most prominent activity, they have grown not only into a nation-wide association of about 3000 members, but into an influential civil rights organization as well. Their expertise in matters of IT security is frequently called upon by public media in Germany. The CCC is well respected even by many politicians and their expertise was cited more than once by former Ferderal Minister of the Interior Gerhart Baum during the trial that ended last year with the Verfassungsgericht (federal constitutional court)'s finding that the federal anti-terror law that obliged providers to retain all telecommunications data for six months was unconstitutional. The CCC organizes the annual Chaos Communication Congress that Slashdot readers might remember as being the event where some major hacks were presented to the public: http://it.slashdot.org/story/11/01/02/0231242/detailing-the-security-risks-in-pdf-standard [slashdot.org] http://games.slashdot.org/story/10/12/29/204253/Playstation-3-Code-Signing-Cracked-For-Good [slashdot.org] http://it.slashdot.org/story/09/12/28/1931256/gsm-decryption-published [slashdot.org] http://games.slashdot.org/story/05/12/16/2157217/hacking-the-xbox [slashdot.org] The CCC is also well know for Project Blinkenlights, which grew out of the CCC but is now an independent project.
  • Or is it illegal for an app to find viruses that are questionably legal because he government spreads them?

    • by allo (1728082)

      f-secure at least will.

      • by Anonymous Coward

        f-secure at least will.

        You're probably referring to their stated policy [f-secure.com]. However, according to CCC

        All examined variants of the trojan were not recognized by any antivirus program at the time of creation of this report. ("Alle untersuchten Varianten des Trojaners wurden zum Zeitpunkt der Berichterstellung von keinem Antivirus-Programm als Schadsoftware erkannt.") -- report page 3 [www.ccc.de]

        Also, f-secure have not promised to detect all government malware they are aware of:

        We have to draw a line with every sample we get regarding whether to

  • by rrohbeck (944847) on Saturday October 08, 2011 @09:41PM (#37651540)

    does it run on Linux?

  • by Vlad_the_Inhaler (32958) on Sunday October 09, 2011 @03:52AM (#37652516) Homepage

    In other news, the Piratenpartei recently made it to the Berlin City legistature with 8% of the vote and and are currently running nationally with that level of support. If they maintain this, they will be the 4th-5th largest party in Germany.

  • by MrL0G1C (867445)

    So, if you're a criminal in Germany, all you have to do is install this software on your computer and then you have plausible deniability because anybody could have uploaded anything to your PC. Your PC could no longer be used as evidence.

    Fucked that one up didn't you Germany!!!

    • It doesn't work that way in Germany. As with the WLAN hotspot, the owner of the hotspot is responsible for all illegal activity on it, even if anybody could have used it.

      • by MrL0G1C (867445)

        I don't think you get it, if a criminal steals your car, ram-raids a shop and makes off with the contents, are you telling me that the car owner is responsible for the crimes committed????.. Or perhaps the gov't is responsible because it owns the roads?

        Root-kit != WLAN hotspot.

        • by t2t10 (1909766)

          Generally, there's a strong presumption that if it was done with your car and you didn't report your car as stolen, you did it. It's the same with your computer.

"For the man who has everything... Penicillin." -- F. Borquin

Working...