CCC criticises new version of government trojan

The BinDiff tool shows the structural similarities and differences between the two versions of the trojan.
Source: Chaos Computer Club (CCC)

The CCC (Chaos Computer Club) has analysed the more recent version of Digitask's German government trojan that was discovered by Kaspersky. This version dates back to December 2010 and has not yet been associated with an actual case. The analysis focused on the improvements that were made to fix the previous version's weaknesses, and on the postulated "audit-proof logging" of all activities.

The CCC's "reversers" found that, while improvements were indeed made, these improvements are by no means sufficient to allow collection of evidence that is consistent with regulations.

According to the CCC, the 2010 model does encrypt data traffic in both directions, and it does include rudimentary authentication mechanisms, but it uses the same AES key as the version that is three years older. Furthermore, nothing appears to have changed about the embarrassing use of AES encryption's ECB mode. The CCC said that after briefly analysing a trojan, it is still possible to listen to, and even manipulate, all communications between the trojan and its C&C server.

Consequently, it took the CCC's specialists only a few hours to adapt their custom C&C server in such way that it worked with the more recent versions. Reportedly, the C&C server can be used to control a computer that has been infected with the government trojan. The researchers said that they would also be able to use a fake trojan to upload "evidence" such as screenshots which, they added, a C&C server would accept as authentic due to a lack of "authentication checks [...] that are even approximately up-to-date." If such a fake trojan was running on the observed computer, said the CCC, not even comparing IP addresses would produce anything suspicious. The CCC concluded that, ultimately, "screenshots (and other evidence) gathered via trojans must generally be considered fake and do not constitute conclusive evidence."

Incidentally, the 2010 version of the government trojan also includes the controversial update function that enables the trojan to download and execute arbitrary programs from the internet. This feature in particular was criticised because it is in breach of the German Constitutional Court's stipulation that investigations be technically restricted to the monitoring of telecommunications connections, said the CCC. Advocates of the feature have, on the other hand, called it an indispensable update mechanism.

The Interior Ministry has responded quickly this time: according to its information, the new version of the trojan that has been analysed by the CCC has not been used the BKA (Federal Criminal Police Office). A ministry spokesman stated that this version had also not been used by authorities other than the Interior Ministry. Both the Federal Police and the Federal Office for Constitution Protection are ministry departments.

(ehe)