German government 'built backdoor Trojan'

Posted by Emma Woollacott

A German hacking group says it's discovered a Trojan horse that the government is using to spy on citizens' online activities.

The German government openly uses a Trojan known as Bundestrojaner to monitor Skype conversations - so long as it has offocial authorization for a wiretap.

But, says the Chaos Computer Club (CCC), it's going substantially further than that, using malware also dubbed '0zapftis', and 'R2D2' that can download updates from the internet, run code remotely and even allow remote access to the computer - specifically prohibited by Germany's legal code.

"The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs," says the group.

"Significant design and implementation flaws make all of the functionality available to anyone on the internet."

The CCC says that the Trojan's developers made no effort to makes sure that the malware could only be used to tap internet telephony, as mandated by German courts.

On the contrary, it says, the design included functionality to clandestinely add more components over the network right from the start.

"This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired," says the CCC in a statement.

"Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."

The Trojan does indeed appear to have the functionality that the CCC claims, says Graham Cluley of security firm Sophos. However, as he points out, it can't be proved that the German authorities were responsible.

"The comments in the Trojan's binary code could just as easily be planted by someone mischievously wanting the Trojan to be misidentified as the infamous the Bundestrojaner," he points out.

"But there certainly have been claims of German state-sponsored cyber-spying in the past. For instance, in 2008, there were claims that the BND - Germany's foreign intelligence service - deployed spyware to monitor the Ministry of Commerce and Industry in Afghanistan."

What's certain is that the issue will cause controversy in Germany. Germans are notoriously keen on their privacy, with nearly three percent of householders taking the trouble to get their houses blurred on Street View.

Politicians are calling for an urgent review.