Slashdot Mirror

← Back to Stories (view on slashdot.org)

Coder of Swiss Wiretapping Trojan Speaks Out

Posted by Soulskill on from the is-swiss-software-full-of-security-holes dept.

Lars Sobiraj writes "Ruben Unteregger has worked for a long time as a software-engineer for the Swiss company ERA IT Solutions. His job there was to code malware that would invade PCs of private users, and allow the wiretapping of VoIP calls — in particular, calls made through Skype. In the German-speaking areas of the country, the Trojans were called 'Bundestrojaner' because the Swiss government was involved with their development and use. Unfortunately, Unteregger has to remain silent about the customers of the company. Last night, he published the source code of his Skype-Trojan under the GPL."

23 of 114 comments (clear)

  1. Only a matter of time by eviloverlordx · · Score: 2, Interesting

    I don't think that a reasonably informed person could expect that this sort of thing could be kept bottled up for very long.

    --
    'Loose' is when your pants are three sizes too big. 'Lose' is when you misuse 'loose'.
  2. Government Support Malware... Great... by LitelySalted · · Score: 3, Interesting

    Government supported malware...

    I guess he's trying to vindicate himself by publishing the source code, but the reality is that there is a risk some idiot out there is going to misuse this information.

    Seriously, do we want open source malware?

    1. Re:Government Support Malware... Great... by Kokuyo · · Score: 5, Insightful

      but the reality is that there is a risk some idiot out there is going to misuse this information.

      SOME idiot? I'm most worried about the government itself, thank you.

    2. Re:Government Support Malware... Great... by AndrewNeo · · Score: 4, Insightful

      Yes, we do, for the same reason we want other software to be open source.. security. If we can see into a program's source, we can identify potential security issues. By releasing the trojan's source code, Skype can fix their software.

    3. Re:Government Support Malware... Great... by AlXtreme · · Score: 3, Informative

      By releasing the trojan's source code, Skype can fix their software.

      I don't think this will help Skype a lot, at best they could attempt to stop this particular trojan.

      We're talking about a trojan that has complete access to the local machine. At some point in the software Skype has to decrypt the audio transmission and send the data via the OS's audio API, and that is where this trojan will intercept the data. Skype now knows how the trojan intercepts the data, and at best they could frustrate it in a new version (which would work until the trojan is updated).

      The big question is if Skype is still secure without having to gain access to the local machine (ie. can law enforcement decrypt Skype traffic).

      --
      This sig is intentionally left blank
    4. Re:Government Support Malware... Great... by fuzzyfuzzyfungus · · Score: 2, Insightful

      I think we do. If the malware is a "feds only" tool, there will be pressure, overt or covert, on security vendors to make their products look the other way when it shows up. That would be bad.

      If every tom, dick, harry, and script kiddie out there has a dozen variants, security vendors will have to treat it as a threat, and hopefully end up mitigating the effectiveness of the fed trojan.

    5. Re:Government Support Malware... Great... by gnick · · Score: 2, Insightful

      ...releasing open source mal ware code isn't especially helpful either.

      Open sourcing it is fine (assuming he's allowed to do so - I know I'd be in trouble if I open sourced the code I'm paid to write) - Even then there's the Wikileaks option if GPL (or whatever) isn't practical. But, both as a courtesy, an aggressive encouragement to improve, and an effort to minimize damage, it should be politely delivered to Skype first. Skype should also be made aware of your intentions, in say 3-6 months, of sharing it with the world.

      --
      He's getting rather old, but he's a good mouse.
    6. Re:Government Support Malware... Great... by WindowlessView · · Score: 3, Funny

      I'm most worried about the government itself, thank you.

      Well thankfully this was the Swiss government. The US would never use some of the billions poured into the new "Cyberwar" to do exactly the same thing. We have laws and high government officials always get brought to justice over things like this...

      --
      Leave the gun, take the cannolis.
    7. Re:Government Support Malware... Great... by hitnrunrambler · · Score: 3, Insightful

      You are the government (at least you're supposed to be) here in the US, so if you're afraid of the government, you're afraid of yourself. How is that for recursive fear? :-D

      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.

      Cool... having a sig that highlights why you should be "afraid of yourself" while commenting on the recursive nature of such fear turns it from being a simple recursion into a complex fractal pattern.

  3. Not helpful? by weirdcrashingnoises · · Score: 2, Interesting

    Isn't the idea of full disclosure meant to help security by bringing to light flaws in ...whatever? thus forcing companies/governments to deal the the problem rather than simply ignore them. Altho in this case a government (Swiss) is playing on one side, and a company (Skype) is on the other.

    --
    sigs... don't talk to me about sigs....
  4. Now, Would A Patriot Please Post by Anonymous Coward · · Score: 2, Funny

    the N.S.A.'s code for intercepting EVERYTHING .

    Yours Seditiously,
    Kilgore Trout

    1. Re: Now, Would A Patriot Please Post by TheRaven64 · · Score: 2, Informative
      I suspect you mean tee, not dd. The dd command won't output anything to the stdout so grep never receives any input.

      Although, come to think of it, that would explain why the wiretapping program hasn't produced much by way of results...

      --
      I am TheRaven on Soylent News
  5. Call me naive... by Zantac69 · · Score: 2, Insightful

    ...but isnt this is a little irresponsible? Its not as irresponsible as handing a loaded Glock to a 17 year old that as raised on Half-Life, Doom, Quake, etc...but still. You are giving basically ready made code to cryp kiddies to cut, paste, and be stupid with. True black hats probably dont need it (or already had it), but that kind of makes it too easy for the wannabes. I can see why code would be released so that software makers can IMPROVE and and lock down their code to prevent snooping like this...but to just toss it out there so anyone can play with it. :shrug: Just does not seem right. (of course - the snooping to begin with was probably not "right" to begin with)

    --
    1331461 is only semiprime *sigh* Alas - I am just short of 1337.
    1. Re:Call me naive... by jimicus · · Score: 5, Informative

      You're naive.

      I'm not going to go searching on Google now but there are already loads of malware toolkits out there being used by script kiddies, some of which are rather easier to use than "First learn to code in C". This doesn't change anything.

    2. Re:Call me naive... by mcgrew · · Score: 3, Insightful

      It's odd that even though I'm 57 years old, I have a far higher opinion of youth than you seem to have. Also odd that you think Doom or Quake would turn teens into killers; what turns teens into killers is mental illness, bad upbringing, or high school bullies. And most of the teens who have these unfortunate circumstances kill themselves, not others.

      Most kids I've known from the time I was a teen to now were good kids. Some teenagers I've known were more responsible than a lot of adults I've known. Some were even more responsible than their own parents.

      --
      Free Martian Whores!
    3. Re:Call me naive... by hitnrunrambler · · Score: 3, Insightful

      You're looking at if from a perspective that can be generalized "security through obscurity"; at it's core is a hope that limiting the general knowledge of a subject will prevent "bad people" from interfering. Again generalizing the motto could be "The less people know the more everyone is safe."

            The weakness of this in practical terms is that people discover things and motivated people can be very creative. If one person or team can accomplish something there is no reason to assume that they are the only ones who possibly could.

            Let's think of it in physical terms: To modify your analogy, this is like assuming "I haven't given {violence-prone-teen} a gun; therefore he can't possibly have a gun."

            Proper disclosure (which on the surface this seems to be) raises awareness of vulnerabilities and helps motivate those who work towards combating such vulnerabilities. It also means that if those responsible are unwilling/unable to fix the problem that the general public is now aware of a problem and may be able to modify their own vulnerability to it. (With these 2 goals in mind some people follow a firm 2 step process of disclosure; informing "the authorities" first to give them a headstart, then informing the general public.)

            Proper disclosure of where a violent teen "might" get a gun disperses the illusion that "I didn't give him a gun so he must be unarmed".

            The dilemma does exist that if a vulnerability is not secured after being disclosed then, yes you have essentially given junior directions to a Glock. But as another responder pointed out... this is hardly the only source for potentially malevolent software/code. If junior is determined to kill he will find a way.

            Where does your ethical duty fall when you have such knowledge?
      That's for you to carefully consider and decide (which is the entire concept behind ethics anyway). But many people would advocate for knowledge, aware that knowledge does not automatically make us safe, but secure in their belief that ignorance never makes us safe... it just makes us feel safe.

  6. Re:GPL ? by wild_quinine · · Score: 5, Informative

    Most certainly the guy doesn't even own the source code since he did it under contract from an employer, so he cannot really "release" what is not his... Maybe I'm wrong and he owns the source code though.

    From the article:
    "There won't be problems about copyright, because ERA IT Solutions let me keep it... About the details, why I keep the copyright on this, I can't offer a statement. As already mentioned I agreed to absolute silence. You can speculate now or ask the sources directly. "

  7. Re:GPL ? by syphax · · Score: 2, Informative

    From TFA:

    Rubin Unteregger: Yes, thatÂs the plan. The source code of this wiretapping trojan will be published in the upcoming days. There won't be problems about copyright, because ERA IT Solutions let me keep it.

    --
    Simple Unexpected Concrete Credible Emotional Stories
  8. Re:GPL ? by chrb · · Score: 4, Interesting

    About the details, why I keep the copyright on this, I can't offer a statement.

    My guess would be liability. If Skype want to sue the "owner" of the trojan, the company is safe. If a "victim" of the trojan wants to sue the "owner", the company is safe. In any court case, the company can turn around and say "Ah, but we just provide advice and consultancy services. The creator and owner of the trojan code is Ruben Unteregger, and he is a completely different legal entity."

  9. Why the heck by JustNiz · · Score: 3, Interesting

    Why haven't the police already busted down the door of ERA IT Solutions and taken all their servers away? Why aren't there tons of class action lawsuits against ERA IT from people that got infected and spied on?

  10. Re:GPL ? by oldhack · · Score: 4, Funny

    Title reads: "Coder of Swiss Wiretapping Trojan Speaks Out"

    Summary reads: "Unfortunately, Unteregger has to remain silent about the customers of the company."

    The parent quotes the guy: "About the details, why I keep the copyright, I can't offer a statement. As already mentioned I agreed to absolute silence."

    That's why I am not commenting on this story.

    --
    Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
  11. Re:GPL ? by element-o.p. · · Score: 2, Insightful

    GPL really is a stupid option in my opinion...it will give some more ammo to the FUD that carries some big corporations that GPL is bad.

    Assuming the source code is his to give away (certainly not a given!), I have to disagree.

    1) GPL is perfect for this, since it essentially says, look -- take this code and modify it, redistribute it, analyze it, re-publish it...do what you want with it, as long as you allow this same freedom to anyone else who gets the software. This is the whole reason the GPL exists in the first place! In this case, this is good because it allows others to take the code apart, figure out what makes it tick and come up with A/V signatures to detect it without worrying about whether or not you are violating a licensing agreement by trying to analyze and reverse engineer the code. It does also allow black hats to rewrite and enhance it for illicit use, but that's one of the problems with freedom -- you can always abuse freedom, if you choose. And for whatever it's worth, I don't think the black hats were going to be too concerned about license restrictions, anyway...

    2) Saying that GPL is bad because software that may possibly be used for ill intent is licensed under the GPL is a logical fallacy. Would anyone in their right mind say that, because someone somewhere has used a car to commit a crime (drunk driving? getaway car in a robbery? ran over someone who pissed them off?) that therefore all cars are inherently evil? Of course not, so why would you say that about software?

    3) Okay, maybe that's not what you meant by your "more ammo to FUD" argument. Maybe instead you meant that it allows big corporations to worry that their developers might give away their software products by licensing them under the GPL. How is that any different than any other commercially developed GPL'd product (MySQL, RHEL, etc.)? Or, from another angle, how is that any different than any other big company worrying that their developers might give their intellectual property to a competitor, or publish it on-line somewhere? It is *possible* for this to happen whether it's GPL'd, released under other FOSS licenses or simply posted on-line without any kind of license at all.

    Of course, if he doesn't really own the rights to the source code, then all bets are off.

    --
    MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
  12. Re:Doesn't by Stupendoussteve · · Score: 2, Informative

    Last I checked Switzerland was a nation independent of the United States and thus not subject to the DMCA and other such nonsense.