German hackers have captured and analysed a cyber-sleuth Trojan which they claim may have been used by police to tap Skype calls and IM chats of criminal or terrorist suspects. German wiretap laws do in fact permit the use of a "Bundestrojaner" ("Federal Trojan"), which has been used by police to record VoIP conversations for a …
Maybe it wasn't the government
The use of "0zapftis" actually indicates some sense of humour -- unlikely to be found in a government agency, let alone a German one.
"0zapfis" is a jump mark label name invented by the CCC, is it not? Assembly labels do not appear in binary code.
Assembly labels do not appear in binary code, but the labels can appear in the compiled program unless it has been stripped.
If it had been the UK government it would have required a small server farm to run with terabytes of storage, still be out to tender and already half a billion over budget.
It's Oktoberfest, and the traditional phrase is "O'zapft is". It literally means "It is tapped".
Probably developed by "Digitask"
It currently seems as if it was developed by a company called "Digitask".
If your AV detected a government trojan, and you (or your AV) quarantined it, is that illegal? Interfering with government agenda etc?
It wouldn't be illegal. It would be the same as discovering a tap on your normal telephone and either using a different phone line or removing it.
If it is a government supplied trojan, it should be covert, but if found the game is up. It is the same as finding a bug in your flat or a tracking device attached to your car, you can remove it, but then the plod will know you are on to them, so they will probably step up the game.
It would be hard to enforce. If you decided to do a new install on your computer, you would also nuke the trojan, whether you knew it was there or not... They wouldn't be able to prove you knew it was there and removed it on purpose.
That would require them to admit they wrote it. That can cause a lot of other issues in itself
I wonder how police would react, if for every spyware found on any computer they were asked if you were allowed to remove it.
No, you cannot be expected to analyse the type and origin of malware found on your computer system. Therefore, at least in Germany, you would be save to do so. Whether or not someone may have used that tool to place false evidence on your PC is an entirely different story...
"...or a tracking device attached to your car"
I found a bug attached to my car; it was easy to spot, it was bright yellow and attached to one of the wheels with a padlock...
Will Anglegrinder man be able to save us from Gov trojans?
I think Big Bolt Cutter Man is best for that and fits in the boot as well.
"The R2D2 name comes from a string of ASCII, "C3PO-r2d2-POE", found in the mystery Trojan. "
OK C3PO and rd2d are easy references but POE... is that not a reference to Dr. Strangelove and the Sterling Hayden's character Brig. Gen. Jack Ripper the man that starts Armageddon?
Lame or not - that depends. As far as currently can be told, the badly written trojan created even more security risks for the already wire-trapped computer.
And yes, "O'zapft is" does refer (if I am not mistaken) to "es ist angezapft" - so indeed, it can be translated directly to "it is wire-trapped".
Also, while the federal police (BKA) denied any influence, recent information suggest that it has been used by Bavaria's local police forces (their LKA). As the analysed sample seems to have been supplied by someone being trialled by the Bavarian LKA. (The trial only broke down when his lawyer bemoaned the 60000 supplied screen shots to be gathered unlawfully - you think, that they printed them out?!) (And no, he was no terrorist - but rather a software engeneer who worked for a company who supplied something like an online shop to another company that sold drugs outside of Germany - while the drugs themselves were legal in Germany, the act of helping to sell them abroad seems to have upset the police forces.)
On the subject of security, where's the El Reg coverage of the malicious software that is infecting the US drones, as reported in today's Times?
Who does it work for?
What IP addresses does it report back to?
Who are they registered too? Surely it would be illegal for the gubberment to be using incorrectly assigned IP addresses. They must be registered to contactable keeper, presumably a front company, but would make a fun way to start investigating.
I love the inference
It's so badly written it must be the gubberment,
with the unwritten foot note, hackers have got better than that these days, why go to the trouble of own a system and then leave it open to being stolen by a rival gang.
Apparently this is an US-American IP, for privacy's sake, you know.
I think I read this in CCCs pdf about the incident, or heard it on the news, it's some big story here in good ol' Germany, if Europe wasn't gonna annihilate itself financially this would be widely covered...
The Bavarian Ministry of the Interior now confirmed that this trojan indeed belonged to the Bavarian state police.
Time will tell
And now we are waiting for the German Federal Public Prosecutor to search the offices of Bavarian Government and of the Bavarian LKA. Only one deferring factor, the German Home Secretary is member of the Bavarian branch of the ruling Christian Democratic Union and who knows what he ...
"The screenshots and audio files it sends out are encrypted in an incompetent way"
I'm waiting for the government to issue a denial by stating.. Yes it was well written! lol
So badly written...
... that it is likey made by a government! LOLLASTIC!
By the way, do terrorist still use Windows?
Analyse the code?
Zat is exzactly vat zey exzpect us to do.
That string triggered a something. I can remember it also turned up in the last issue (58) of Benq-Siemens' mobile phone firmware for the last model (EF81) built in the Kamp-Lintfort site.
I would have a look at the guy who wrote that. Don't quite remember his name, but it was somewhat Polish, Stanislaw Nebowski or similar. Might be a 'signature'...
They admitted to it
By now, Lower Saxony, Brandenburg, Baden-Württemberg and Bavaria confessed. Hesse nearly confessed.
There are also official documents of the relevant institutions in those states buying software from Digitask.
Oh and the director of the company Digitask has been sentenced to 21 months in prison on bail and 1.5 million Euros in 2002 because of blackmail.
Apparently a lawyer of Digitask admitted it's most likely the trojan of their company.
BTW, the really big issue is that the constitutional court forbid certain features like loading new code... however those features are in there, but deliberately hidden. This probably means they are not only there by accident, but on purpose, made by someone who know that what he was doing was illegal.
Presumably illegal outside Germany
So either they've got rather better geolocation than anyone else on the planet or they've inadvertently trampled on the criminal law of their neighbours. Where's that popcorn...?
If the functionality exceeds VoIP eavesdropping...
... (and it apparently does), it's illegal inside Germany too. That's the point.
In the meantime, officials of several German federal states have more or less admitted that this malware was indeed gov business...