German Surveillance Trojan Spies On Fifteen Apps

← Back to Stories (view on slashdot.org)

German Surveillance Trojan Spies On Fifteen Apps

Posted by Unknown on Wednesday October 19, 2011 @05:05AM from the father-knows-best dept.

itwbennett writes "Researchers from Kaspersky Lab have discovered that the R2D2 surveillance Trojan, which is used by German law enforcement to intercept Internet phone calls, is capable of monitoring traffic from popular browsers and instant messaging applications. 'Amongst the new things we found in there are two rather interesting ones: Firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows,' said Tillmann Werner, a security researcher with Kaspersky in Germany. 'Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.'"

46 of 69 comments (clear)

Min score:

Reason:

Sort:

Yet another reason... by Anonymous Coward · 2011-10-19 05:16 · Score: 1

Not to run Windows.
Nathan
PS.. image word "CONCUR"
1. Re:Yet another reason... by ackthpt · 2011-10-19 05:41 · Score: 1
  
  Not to run Windows.
  Or to allow someone to install "updates" to your computer who goes by the name S. Tazi or Gus Tappo.
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
2. Re:Yet another reason... by jamiesan · 2011-10-19 07:35 · Score: 4, Funny
  
  Some guy named Lou Ftwaffa wanted me to install some plugins on my flight simulator.
3. Re:Yet another reason... by treeves · 2011-10-19 09:41 · Score: 3, Funny
  
  A lady named Krystal Nacht insisted that I upgrade my shared libraries and clean up my registry, but when I did it, I found that my Windows was broken.
  
  --
  ...the future crusty old bastards are already drinking the Kool-Aid.
4. Re:Yet another reason... by iceaxe · 2011-10-19 09:52 · Score: 1
  
  *has a stroke from Godwin overdose*
  
  --
  WALSTIB!
Apps? by xavdeman · 2011-10-19 05:18 · Score: 2

Or applications?
1. Re:Apps? by Anonymous Coward · 2011-10-19 05:37 · Score: 1
  
  "App" is a shortening of "application". They're not specifically for mobile phones though idiots will say that's the case.
2. Re:Apps? by TheRaven64 · 2011-10-19 06:37 · Score: 1
  
  "App" just refers to an especially crappy application, usually running on a phone or set-top box, with minimal user configurability.
  I'm pretty sure 'app' has just been short for 'application' for the last 20 years or so. It isn't specific to mobile apps.
  
  --
  I am TheRaven on Soylent News
3. Re:Apps? by sexconker · 2011-10-19 07:01 · Score: 1
  
  Apps are what you get at Chili's. I recommend the Texas Cheese Fries.
  Applications are uses, or forms you fill out for shit.
  Programs are what you hand out at a theater.
  Software is software.
4. Re:Apps? by treeves · 2011-10-19 09:43 · Score: 1
  
  Sometimes a church has an apps. Oh wait, that's an apse.
  
  --
  ...the future crusty old bastards are already drinking the Kool-Aid.
GPG? by Anonymous Coward · 2011-10-19 05:24 · Score: 1

How good of a code audit does GPG undergo? IIRC, GPG id largely funded by the German government.
1. Re:GPG? by muckracer · 2011-10-19 20:57 · Score: 1
  
  > How good of a code audit does GPG undergo? IIRC, GPG id
  > largely funded by the German government.
  As good as you'd like to make your audit:
  ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.18.tar.bz2
I want to move to Germany... by Oswald+McWeany · 2011-10-19 05:25 · Score: 1

Imagine being able to legally work on producing the software to do this. Not just legally- but with the backing of the government. ... no, I do not condone it... ... but it would be fascinating to work on. :)

--
"That's the way to do it" - Punch
1. Re:I want to move to Germany... by WormholeFiend · 2011-10-19 05:27 · Score: 1
  
  Vee haf vays of monitoring yur messages!
2. Re:I want to move to Germany... by Moheeheeko · 2011-10-19 05:32 · Score: 1
  
  the Gestapo has new ways of making you talk, one by one they add email addresses of your loved ones to the email containing your browser history.
3. Re:I want to move to Germany... by ackthpt · 2011-10-19 05:33 · Score: 5, Interesting
  
  Imagine being able to legally work on producing the software to do this. Not just legally- but with the backing of the government. ... no, I do not condone it... ... but it would be fascinating to work on. :)
  Imagine a world where a government employs such devious means...
  Then imagine a world where the government kicks down your door because your detected their worm and quarantined it - which makes you a person of interest.
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
4. Re:I want to move to Germany... by ackthpt · 2011-10-19 05:34 · Score: 3, Funny
  
  Vee haf vays of monitoring yur messages!
  In Soviet Germany ... wait, what?!?
  
  --
  
  A feeling of having made the same mistake before: Deja Foobar
5. Re:I want to move to Germany... by TangoMargarine · 2011-10-19 05:45 · Score: 1
  
  East Germany
  
  --
  Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
6. Re:I want to move to Germany... by heson · 2011-10-19 06:16 · Score: 2
  
  NSA does not need to snoop in the leaf node, they have the network (and the cloud). If I was NSA, I would also build a tight partnership with google, in fact, many of googles features looks like spinoffs of what I imagine NSA is doing.
7. Re:I want to move to Germany... by zAPPzAPP · 2011-10-19 07:52 · Score: 2
  
  You will have to apply for a job at that one company they hand all those shady contracts to. You know, the one the minister of interior is involved with.
  Good news though: from what the CCC told us, they are really in need of some capable hackers.
8. Re:I want to move to Germany... by zAPPzAPP · 2011-10-19 07:56 · Score: 1
  
  They use some more hands on methods to get it installed than your ordinary worm.
  Like breaking into your house, or snatching a device for a "security check" (at which point you are to give them all passwords of course).
9. Re:I want to move to Germany... by couchslug · 2011-10-19 08:41 · Score: 1
  
  "Then imagine a world where the government kicks down your door because your detected their worm and quarantined it - which makes you a person of interest."
  Then imagine that country's track record over the first forty-five years of the last century, plus the track record (yet to be fully revealed) of the Eastern half of that country, and don't forget how many players are either still alive or lived long enough to have direct contact including training with current law enforcement.
  Sleep tight.
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
10. Re:I want to move to Germany... by fierce · 2011-10-19 18:33 · Score: 1
  
  Shaka! The walls fell?
Re:Chrome and Safari not on the list? by Frenzied+Apathy · 2011-10-19 05:41 · Score: 1

n/t
Sorry, this is completely off-topic, but doesn't typing "n/t" (by which I'm assuming you mean "no text") in your post make the reason for typing it a moot point? Kind of self-contradictory?

Just a question...

--
The cake is a lie.
Law enforcement reports... by justdiver · 2011-10-19 05:43 · Score: 1

nothing interesting other than suspiciously high traffic to David Hasselhoff's website.
In Corporate US, it's for Legal Documentation ! by cbelt3 · 2011-10-19 05:45 · Score: 2

Such' 'spyware' is rife in the Corporate world, but it's called "Document retention" and "monitoring for legal cases". Corporate smart phones, computers, etc. are all equipped with methods to record everything we do. Just because some shyster could possibly want to use it as an axe to such money from our company.
You *CAN* get a job in industry writing this kind of code. Seriously. It's out there.
Top Notch Support by Sponge+Bath · 2011-10-19 06:04 · Score: 2

"...capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows"
I wish all software and hardware vendors were that current.
Re:Chrome and Safari not on the list? by jpapon · 2011-10-19 06:41 · Score: 1

While it is contradictory, why not go with ironic, oxymoronic, or perhaps paradoxical?

--
-- Let us endeavor so to live that when we pass even the undertaker shall be sorry. -- M. Twain
Re:Do Antivirus projects block this Trojan? by GameboyRMH · 2011-10-19 06:52 · Score: 1

If they know it exists then it's not very secret is it? Most antivirus apps have open virus definition files. Chances are there is no whitelist for these, and in fact I would expect any AV tool that does heuristic scanning to pick it up.
They damn well better pick it up if they're going to pick up every cracked game executable in existence >_<

--
"When information is power, privacy is freedom" - Jah-Wren Ryel
R2D2? by asylum_street_blues · 2011-10-19 06:54 · Score: 1

Wait 'til Lucasfilm sues the Germans for copyright infringement. Even Google had to put a little "used with permission of Lucasfilm Ltd." notice on everything using "Droid".

--
Just because the universe could be a simulation doesn't mean that we're the point of the simulation.
1. Re:R2D2? by Spy+Handler · 2011-10-19 07:05 · Score: 4, Funny
  
  but then the Germans can sue Lucas for infringing on their trademark, Stormtrooper
2. Re:R2D2? by ogdenk · 2011-10-19 08:00 · Score: 1
  
  And the empire is obviously a derivative work from copyrighted Nazi documents and patented Nazi methodology and procedures. I would love to see Lucas just absolutely ass-raped in court. George is a douchenozzle.
  That fact that more people in the past haven't told Lucas to go get f**ked and stand their ground is why things are as ridiculous as they are. When you can copyright object shapes and terms such as "Droid" and win in court, all hope is lost. It's gotten to the point where it's so insane, I just generally ignore modern copyright law. Doesn't mean I don't have morals and pirate everything I feel like however but in no way should stuff written over 30-40 years ago still be covered under copyright and the definition of "derivative work" should be looser and less vague. Technically EVERYTHING is a derivative work of SOMETHING.
Re:Do Antivirus projects block this Trojan? by zAPPzAPP · 2011-10-19 08:02 · Score: 2

Anti Virus are good at picking up malware that spread a lot.
But these trojans are supposed to be used in very limited cases, so there is little chance of any AV aiming to find them specifically (up until now that is).
Heuristcs are supposed to handle such cases, but you can test your malware against those heuristics until you are good to go and if they don't know of you, they can't change heuristics to catch you.
Cool by EvilBudMan · 2011-10-19 08:05 · Score: 1

Where can I download this app?
German Surveillance: "No Linux support plans" by Shompol · 2011-10-19 08:44 · Score: 4, Funny

In an interview the Sekret German Surveillance rep said: "Ve dont haf planz to releze a Linukz verson of SpyMaster 2000".
He cited multiple problems, including lack of support for MS Trojan API's on non-Windows platforms. While there is [not] an emulator, called Bier, it it not powerful enough to support full Trojan functionality suit.

Many Germans complained that this is the last reason that keeps them from switching to Linux. One of the interviewers complained: "They are using our Steuergeldern, there should be Chancengleichheit for all Trojans, not just Microsoft!"
1. Re:German Surveillance: "No Linux support plans" by AHuxley · 2011-10-19 11:17 · Score: 1
  
  If you have wireless, think of a fed with a laptop in the street - that will get into most OS X, Linux people of interest enjoying modern ethernet free computing.
  If your a Mac or Linux setup is wired, the feds might chat with your isp and go direct down your isp network next time you connect.
  Windows is well understood from a security admin ~ protective tools view. Its wide open and easy to slip something in on most versions.
  Some new, unknown, different, exotic outgoing Mac/Linux software firewall/log might just alert the user, then they ring smart friends.. the press...
  http://arstechnica.com/apple/news/2011/09/mac-trojan-pretends-to-be-flash-player-installer-to-get-in-the-door.ars
  Its wonderful if the users enters their "Unix" pw for you and you can alter all you need.
  
  --
  Domestic spying is now "Benign Information Gathering"
2. Re:German Surveillance: "No Linux support plans" by ista · 2011-10-22 10:32 · Score: 1
  
  Legal representatives of the trojan-authoring company "DigiTask" actually stated to german press that "basically DigiTask were able to supply software for other operating systems as well - if the contract tells them to do so."
  So your attempt to be funny does point in a completely wrong direction: those guys who wrote this "legal interception" piece of spyware are clearly "dangerous" to non-Windows platforms as well.
  On a sidenote, for at least 30 years or so german students in school classes after elementary school do attend 4-6 years of english language courses, usually a couple of hours per week. Some german politicians (usually those who can't speak their own language without using a dialect or at lease some very "unique" accent) publicly also suppose that toddlers in Kindergarten or pupils entering elementary school should start learning either mandarin chinese or english. English language and pop culture also do have quite a strong impact in Germany as well; for example, clearance sale isn't advertised with "Schlussverkauf" anymore but with large "SALE" signs. And 20 years ago, most germans didn't have an idea of halloween, but today, german kids can't wait to carve pumpkins and ask for a german version of "trick or treat".
  As a german, I did learn english and french at school but haven't been using french for close to 20 years. My school grades in french have never been fairly well, but a few months ago, I've been waiting in line at an amusement park located in germany, but close to the french border. A french mum and her four-year-old kid were waiting behind me, and the girl wanted to ride a roller coaster, but was smaller than the usually asked 120 centimeters. My "rusty" french was still good enough to understand most of their conversation, to introduce myself and give them a hint on a close "youngster" roller coaster which may also be used by smaller kids.
  Of course, those language courses in school are far from being perfect and without frequent use, people do tend both to forget words and not to be self-confident enough to use a language learned years ago - but those language courses still do enable people to communicate with each other. This is especially important in Europe, where you can't move any further than a few hundred miles without at least being able to barely understand a completely different language. I also do know that german is quite a hard language to learn, so I don't expect any foreigners to speak german. If someone tries to do so, I see this as a very honorable attempt to accommodate himself to the country he is in - so in fact, a kind of compliment.
  If some word is unknown in such a situation, most people also tend to describe a word either using known, assumed-to-be-simpler words or even yet another, third language rather than using a word of their own (hey, they know that their language is not understood, so there's no use for their language's vocabulary). Yet another point where your joke fails.
  So maybe now you should start poking fun at those U.S. citizens, who do try to find a job in Miami and have a hard time doing so without speaking spanish. It's about the same level of "assuming to be funny at the expense of an unknown situation".
3. Re:German Surveillance: "No Linux support plans" by Shompol · 2011-10-24 02:52 · Score: 1
  
  I am sorry you took offense, but the joke was not aimed at Germans at all. The target was Windows and Netflix, although I don't name them directly. In fact, the title was ripped off from an article about Netflix :)
  
  I am not a security expert, but highly doubt this Trojan could be created for Linux. Which distribution would it target? How would it gain access to root to install the Trojan? I am sure there are loopholes, and suppose they exploited one; the very moment someone finds it, that loophole is getting patched. What does MS do? They send law enforcement to arrest yet another "malware crime ring". See the problem here?
  
  On a sidenote, for at least 30 years or so german students in school classes after elementary school do attend 4-6 years of english language courses, usually a couple of hours per week.
  East or West Germany? Something tells me that East Germany had a different education system. Again, the joke is not about them. I myself have an accent when speaking Americano.
4. Re:German Surveillance: "No Linux support plans" by ista · 2011-10-28 11:41 · Score: 1
  
  No offense taken - I do see the whole trojan surveillance issue as being a very important issue for multiple reasons.
  For example, many people are having their laughs on the low level of technical expertise being used in this trojan. A few ones are also laughing about how these trojans have been installed (e.g. in one case, a customs officer at an airport wanted to do some extensive checks on one suspect's notebook; the suspect handed them the notebook, the officer left for a few minutes into another room and returned the notebook).
  A different, but very worrying view are the legal issues and the tendencies of politicians. A few politicians do want this kind of spyware for years. A few years ago, the constitutional court did decide on exactly what kinds of actions may be exercised by such a surveillance software and what actions are clearly forbidden. However, exactly the same government who triggered this court decision did ignore those decisions. The Chaos Computer Club has been checking multiple versions of the same spyware, and all of them do completely ignore any court decisions.
  Merely a little more than just a year ago, Germany's federal president resigned after an unlucky notion in a radio interview, which doesn't exactly match the ideas of the constitution and the rule of the german defence-only army. A few weeks later, the minister of defence Guttenberg states an even bolder statement of the same issue and is being applauded for this. However, plagiarism in his doctorate thesis effectively makes him resign a few months later: at first, the minister strictly denies everything, later choses to "temporarily" no longer use his doctorate title, then asks the university to withdraw the title. In the end, he's asking the chancellor to accept his resignment.
  With the trojan spyware issue, about every state and federal politician did deny usage of this software, then denied the results of the analysis, later somehow acknowledged the results and even later acknowledged that this software has actively been used by more government agencies than estimated. The scheme of answers is the very same like with Guttenberg's doctorate plagiarism, but the actual crime strictly is a violation of a constitutional court's decision. Nobody resigned.
  Back in 2008, the constitutional court also decided federal election laws to be flawed and gave politicians three years to resolve those issues. The deadline for this expired this summer. So the very next federal elections may easily be revoked. What does it tell you when a government does ignore multiple decisions of its highest courts and as such, ignoring certain ideas and aspects of their own constitution?
  During the past 30 years or so, the Chaos Computer Club also became a very valuable, non-biased and honored source in expertise on IT security for media, politics, regular and highest courts, but exactly once their analysis on "governmental spyware" appeared, quite a few politicians cried that you can't trust those ideas and fantasys of some weird kind of club who do claim chaos in their title. So actually, those politicians are actually trying to defame the Chaos Computer Club.
  
  I am not a security expert, but highly doubt this Trojan could be created for Linux. Which distribution would it target? How would it gain access to root to install the Trojan? I am sure there are loopholes, and suppose they exploited one; the very moment someone finds it, that loophole is getting patched. What does MS do? They send law enforcement to arrest yet another "malware crime ring". See the problem here?
  One of the samples of the current surveillance software has been retrieved from a notebook; the software has been installed by customs officers at an airport, who did some "extensive checks" in another room. To me, this reads like the owner handed his notebook to those customs officers and they've been using some kind of bootable USB stick or the like to install into the Trojan into the likely non-encrypted filesystem.
Re:Do Antivirus projects block this Trojan? by AHuxley · 2011-10-19 10:53 · Score: 1

The FBI had http://en.wikipedia.org/wiki/Magic_Lantern_(software) reported about in ~2001 and the news provided some insight into AV vendor issues.

--
Domestic spying is now "Benign Information Gathering"
Re:Do Antivirus projects block this Trojan? by godel_56 · 2011-10-19 11:10 · Score: 2

Anti Virus are good at picking up malware that spread a lot. But these trojans are supposed to be used in very limited cases, so there is little chance of any AV aiming to find them specifically (up until now that is). Heuristics are supposed to handle such cases, but you can test your malware against those heuristics until you are good to go and if they don't know of you, they can't change heuristics to catch you.
RTFA.
Kaspersky stated that their AV had already detected this heuristically as a variation of the R2D2 Trojan and blocked it. They suggest installing a password in your AV to prevent anyone adding any malware to its exclusions list, as the installers had physical access to the computer to install it.
Missing App Names? by Em+Adespoton · 2011-10-19 11:30 · Score: 1

Interesting to see that pidgin.exe and chrome.exe aren't in the list....
Re:Don't blame the Germans... by AHuxley · 2011-10-19 13:28 · Score: 1

Independent contractor Schultz: I installed nothing, I logged nothing, I know nothing!

--
Domestic spying is now "Benign Information Gathering"
Funny that... by phooka.de · 2011-10-20 01:54 · Score: 1

Slashdot used to be my primary news aggregator. Well, it's stories like this that push me away. Not the story itself, mind you, I was quite interested in the comments to it. No, the fact that all there was was "funny" jokes about Germans and their bad English. If I want that, I can watch fawlty towers on youtube, it's way more funny (http://www.youtube.com/watch?v=IngEMj4krpA).
Bye (for now?).
Re:Cool by ista · 2011-10-22 07:11 · Score: 1

The original press release from chaos computer club at http://www.ccc.de/de/updates/2011/staatstrojaner
points to
http://www.ccc.de/system/uploads/77/original/0zapftis-release.tgz
Feel free to do your own analysis :-)
However, AV software now does have at lease one more symptom to watch out for possible malware: the trojan included a couple of .DLLs, who didn't export any kind of function.
Re:Cool by EvilBudMan · 2011-10-25 08:18 · Score: 1

Cool and Thx, It's just something else to look out for. Privacy musta died at least 10 years ago.