19 October 2011, 09:43

Kaspersky discovers new version of German state-sponsored trojan

The trojan eavesdrops on anything on this list Virus analysts at Kaspersky Labs have discovered a new version of a trojan written for the German government by Digitask. It supports 64-bit versions of Windows and is able to monitor many more applications. The "big brother" of the trojan analysed by the Chaos Computer Club (CCC) is made up of five files. They were found in an installation program by the name of scuinst.exe (Skype CaptureUnit Installer), recently detected by F-Secure.

In addition to Skype, the list of processes monitored by the trojan includes other voice over IP applications, browsers, and email and instant messaging clients. The full list is:

explorer.exe
firefox.exe
icqlite.exe
lowratevoip.exe
msnmsgr.exe
opera.exe
paltalk.exe
simplite-icq-aim.exe
simppro.exe
sipgatexlite.exe
skype.exe
skypepm.exe
voipbuster.exe
x-lite.exe
yahoomessenger.exe

The researchers also discovered a 64-bit driver signed using a certificate issued by fictitious CA Goose Cert; 64-bit versions of Windows will not load unsigned drivers. A normal copy of Windows will not accept the fake certificate, meaning that the installation process also has to modify Windows' certificate store – how it does this is not yet known. It is, however, becoming increasingly clear that anti-virus software is not going to be able to protect users from state-sponsored trojans of this type. Anyone with the capability to modify the certificate store is unlikely to have too much difficulty bringing obstreperous anti-virus software into line.

The Digitask development team also seems to have cribbed additional rootkit techniques and, in addition to the familiar AppInit technique, appears to have implemented a new method of activating the trojan library with the target process' privileges.

See also: