Chaos Computer Club cracks Germany's illegal government malware, a trojan that spies on your PC and lets anyone off the street hijack it

Germany's Chaos Computer Club published the sourcecode for a piece of malware used by the German government to spy on citizens. The software was discovered in the wild and reverse engineered. It can be used to spy on or control remote PCs. Because of flaws in the software, anyone who was infected with this by German police was vulnerable to spying by "anyone on the street." The German supreme court banned the use of trojans to spy on German citizens in 2008.

The analysis also revealed serious security holes that the trojan is tearing into infected systems. The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted. Neither the commands to the trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies's IT infrastructure could be attacked through this channel. The CCC has not yet performed a penetration test on the server side of the trojan infrastructure.

"We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities", commented a speaker of the CCC. "The security level this trojan leaves the infected systems in is comparable to it setting all passwords to '1234'".

To avoid revealing the location of the command and control server, all data is redirected through a rented dedicated server in a data center in the USA. The control of this malware is only partially within the borders of its jurisdiction. The instrument could therefore violate the fundamental principle of national sovereignty. Considering the incompetent encryption and the missing digital signatures on the command channel, this poses an unacceptable and incalculable risk. It also poses the question how a citizen is supposed to get their right of legal redress in the case the wiretapping data get lost outside Germany, or the command channel is misused.


    1. How is this “evidence for the case for using open source”? The authorities didn’t even admit to having that piece of software in the first place.

  1. this is actually rather sad.
    as of this morning, the bavarian minister for internal affairs (it’s his responsibility to keep stuff like this from happening) has entered a state of active denial and has last been seen sputtering erratic monosyllabic nonsense into any available microphone – 

    the little software gem is not some blunder, but A BREACH OF OUR CONSTITUTION.

    it’s pretty much a TSHTF situation.

    oh, and meanwhile in the “clowns to the left of me, jokers to the right” department,
    speakers for both the german police union and the union for german policemen
    demand that from now on only officially certified software shall be used for black ops.


  2. The funny thing is I checked out the binaries and they are for Windows, not Mac.  But the screenshot shows a Mac interface.  Is this some kind of joke or am I missing something here?

    Or maybe the deal is the client is for Mac OS X and it doesn’t infect the Mac at all. You can just use the client with Mac to control the infected Windows PC’s that have the actual trojan running on them.

    1. The screenshot you are seeing  is the interface remote control program, written by the CCC guys  to demonstrate that they were able to hijack the Trojan.

      Don’t know why they did that on a Mac, probably because the logger itself seems to be windows only?

    2. That’s a screenshot of the Command & Control interface the CCC created by reverse engineering the Trojan. We don’t know what the “official” C&C interface looks like, it wasn’t leaked or anything – this was done by analyzing an infected machine. (Or, more precisely, by analyzing its hard drive)

      1. Right, I guess it would be more boring to simply show the dll code, etc. – Using a Mac Client to attack PCs goes in line with other stuff I’ve, er… witnessed… but you usually don’t see this stuff in mainstream news like this.. haha… ok, I’ll stop here.

  3. Come on, now.

    Do the responsible thing, and use this malware to pwn the government to fix the problem. They’ve given you the technology fix you need, already. Just alter the constitution to make it unconstitutional and start issuing warrants for the arrest of the people responsible. (I’m sure you can find their identities through the use of the same malware.)

  4. It’s not entirely correct that “The German supreme court banned the use of trojans to spy on German citizens in 2008.”. Instead, the court tried to distinguish between “good” and “bad” trojans; a distinction which does not work in real life. Thanks to the CCC – you’re doing an extraordinary job.

  5. Specifically the German Supreme Court allowed the use of Trojans only to spy on communications made with the PC (VOIP, Chat, Email) and only to prevent crimes that endanger human lifes. Any other data  on the infected Computer is protected and not allowed to be spied on but the discovered Trojan has the capability to do more:  upload stuff, making screenshots, access built-in webcams etc  – in short: do stuff it’s not allowed to do.  The important question is: Was the Trojan used and for what?

  6. Does German law take into account chain of custody like US law? If so, wouldn’t the fact that ‘anyone’ can get into this system mean that chain of custody is broken, and all evidence related to computers with this malware is no longer admissible? I hope so, because that would be amazing

    1. > If so, wouldn’t the fact that ‘anyone’ can get
      > into this system mean that .. all evidence
      > related to computers with this malware
      > is no longer admissible?

      No, because that would make sense, and that’s not how things work.  You’re thinking of a different planet.

Comments are closed.