Trojan opened door to Skype spying

A German hacker group says it has found a backdoor program designed for spying on Skype communications that it alleges was used for surveillance by German law enforcement officials but which also has flaws that put the infected computer at risk of serious attack by others.

"The largest European hacker club, 'Chaos Computer Club' (CCC), has reverse-engineered and analyzed a 'lawful interception' malware program used by German police forces," the CCC wrote in a post on its Web site today. "The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the Internet."

The group analyzed the code after receiving a sample from German lawyer Patrick Schladt, who says his client was under investigation on suspicion of illegal export of pharmaceuticals, according to a report on German news site Heise Online.

Schladt alleges that the Trojan was installed on his client's computer when it passed through customs at the Munich Airport. After his client was charged, Schladt then contacted the CCC, which discovered the program on his client's hard drive after using forensic software to restore deleted malware files, writes Graham Cluley of Sophos in a blog post.

The malware--dubbed the "State Trojan" or "R2D2" for a string of characters embedded inside the code--is capable of monitoring Skype, Yahoo Messenger and MSN Messenger communications, as well as logging keystrokes in Firefox, Internet Explorer and other browsers; taking screen captures; and of being updated, according to the reports.

While German authorities can snoop on suspected criminals, they need court permission to do so and any spyware used can not alter code on a suspect's computer and additional functionality can not be added to it.

The State Trojan violates German law because it can receive uploads of programs from the Internet and execute them remotely, the CCC alleges.

"This means, an 'upgrade path' from (lawful spyware) to the full State Trojan's functionality is built-in right from the start. Activation of the computer's hardware like microphone or camera can be used for room surveillance," the CCC post says. "The government malware can, unchecked by a judge, load extensions by remote control, to use the Trojan for other functions, including but not limited to eavesdropping."

The malware could be used to plant evidence on the target's computer and delete files, therefore completely obstructing justice, but it also has "serious security holes" in it that open the computer up to attack by others and put the law enforcement agency that is controlling the malware at risk, the CCC said.

"The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the Trojan are even completely unencrypted," the post says. "Neither the commands to the Trojan nor its replies are authenticated or have their integrity protected. Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies' IT infrastructure could be attacked through this channel."

The CCC said it has informed the German Ministry of the Interior about its findings. "They have had enough time to activate the existing self destruct function of the trojan," the group said.

At a news conference today, German federal government spokesman Steffen Seibert said officials were investigating the matter. "We are taking (the allegations) very seriously," he said, according to a report on the Monsters and Critics Web site. "We will need to check all systems thoroughly."

A confidential memo released by WikiLeaks in early 2008 showed communications between German state law enforcement and a German firm, DigiTask, that makes software that can be used for monitoring Skype communications.

Seibert said the software in question was three years old and had not been used by federal officials, according to the Monsters and Critics report. DigiTask lawyer Winfried Seibert (same last name as the government spokesman) said the company had developed programs for authorities in Germany, but wasn't sure if it was responsible for the program analyzed by the CCC, according to an IDG News Service report.

Cluley notes that it is not really possible to prove who authored the malware, which targets Windows computers, but suspects that even if the federal officials in Germany weren't involved in the malware, officials in one of the German states were. "It's pretty likely that this is something that was done under the auspices of German authorities," he said in a phone interview with CNET today.

Neither Schladt nor German officials could be reached by CNET today.