Kaspersky discovers new version of German state-sponsored trojan
Virus analysts at Kaspersky Labs have discovered a new version of a trojan written for the German government by Digitask. It supports 64-bit versions of Windows and is able to monitor many more applications. The "big brother" of the trojan analysed by the Chaos Computer Club (CCC) is made up of five files. They were found in an installation program by the name of
scuinst.exe (Skype CaptureUnit Installer), recently detected by F-Secure.
In addition to Skype, the list of processes monitored by the trojan includes other voice over IP applications, browsers, and email and instant messaging clients. The full list is:
The researchers also discovered a 64-bit driver signed using a certificate issued by fictitious CA Goose Cert; 64-bit versions of Windows will not load unsigned drivers. A normal copy of Windows will not accept the fake certificate, meaning that the installation process also has to modify Windows' certificate store – how it does this is not yet known. It is, however, becoming increasingly clear that anti-virus software is not going to be able to protect users from state-sponsored trojans of this type. Anyone with the capability to modify the certificate store is unlikely to have too much difficulty bringing obstreperous anti-virus software into line.
The Digitask development team also seems to have cribbed additional rootkit techniques and, in addition to the familiar AppInit technique, appears to have implemented a new method of activating the trojan library with the target process' privileges.
- Anti-virus software fails to deal with government trojan, a report from The H.
- CCC cracks government trojan, a report from The H.