Shoddy public IT work, expensive contractors and malware, finally united: The Bundestrojaner



  • (I apologise in advance for awkward language and formatting. The former is because I'm German, the latter I'll blame on community server. Or vice versa. I'm not sure yet.)

    Hey, have you heard of the Bundestrojaner? You know, the piece of spyware commissioned by the German government to aid in police work (i. e. to spy on people suspected of criminal behaviour)? Oh, don't be silly, of course you have.

    Well, it seems our friends at the Chaos Computer Club have gotten a hold of it and did some analysis, and they did... really not like what they saw. Turns out that in addition to being brazenly illegal, the whole thing appears to have been written by a high school student over the course of an afternoon. The report is all in German, sadly, but here are some of the highlights for you silly foreigners:

    • They seem to have judged HTTPS to be insufficient for their purposes and created some kind of homebrew communication protocol. So all it takes to completely neuter it is a firewall rule.
    • The IP of the command and control server is hardcoded. It's 207.158.22.134, if you're curious. No, that's not a German IP. It's in Ohio, evidently.
    • There is an authentication channel and everything, but the password is - you guessed it - hardcoded. It's C3PO-r2d2-POE, which kind of makes it even worse.
    • Wait, did I say a password was required for issuing commands? No, it's not. The password is only used for answers from the trojan. If you want to issue commands (or hijack the trojan), you... pretty much have to know that it's running on the target machine, and... uhm, that's it.
    • The trojan does use AES encryption for its responses, but it's painfully obvious that this was only done to tick off the box on the requirements chart. To wit: The key is always the same (and hardcoded) without such luxuries as "session IDs"; commands sent to the Trojan do not need to be encrypted (again, only responses are in any way protected) and, oh, due to the broken implementation, identical input always leads to identical output. My crypto-literate friends tell me this is bad.

    So what would you have to know to conduct an attack? Let's say, hijack a machine running this? Well:

    1. You have to know the machine is running it
    2. You have to know the name of the command that downloads and installs software (it's \x0e)

    ... and yeah, that's it, actually. If you speak German, I highly recommend reading the report. At least... at least it's easy to detect and remove the Bundestrojaner, I guess?



  • Wow! It turns out the people who are best suited to navigating the byzantine process of Government regulations and procurement rules are not the best suited for writing software! What a shocker!

    Seriously though, good WTF. And your writing/formatting is fine. Why would they write their own HTTPS-esque protocol instead of using, say, HTTPS? Crazy.

    BTW these guys own that IP. $20/month VPS!



  • I read the whole document. I like CCC's funny and sarcastic style on this rather sad story. I wonder if major anti virus software will now start to recognize the trojan (like they promised they would) and someone will try to sue against the trojan, for example, the Speex licensors, because according to the document, they clearly broke their license; or maybe a CCC lawyer if such a person exists.


  • Discourse touched me in a no-no place

     @derula said:

    I wonder if major anti virus software will now start to recognize the trojan (like they promised they would)
    Oh, that's easy. The Germans just criminalize removing the thing as an Epic Level Felony. Then it doesn't matter what they were investigating the target for, they can get a worse sentence for nuking the clustergrope of an "investigation". 



  • @Weng said:

     @derula said:

    I wonder if major anti virus software will now start to recognize the trojan (like they promised they would)
    Oh, that's easy. The Germans just criminalize removing the thing as an Epic Level Felony. Then it doesn't matter what they were investigating the target for, they can get a worse sentence for nuking the clustergrope of an "investigation". 

    Hate to rain on your parade but the Constitutional Court has already ruled several part of this trojan as illegal. And I'm pretty sure that they'd find such a law not be very funny, either.



  • @Yukabacera said:

    No, that's not a German IP. It's in Ohio
    Meanwhile, in Columbus Ohio . . . . .

     

    You Germans get off my computer!!!
                             </b>



  • If the remote control server is located in Ohio, then how exactly can they be so sure they found the Bundestrojaner? It could as well be some other piece of malware.



  • @Weng said:

     @derula said:

    I wonder if major anti virus software will now start to recognize the trojan (like they promised they would)
    Oh, that's easy. The Germans just criminalize removing the thing as an Epic Level Felony. Then it doesn't matter what they were investigating the target for, they can get a worse sentence for nuking the clustergrope of an "investigation". 

    "...oops, I had to format." is all the excuse one would need.  nevermind the lawsuit over violation of constitutional rights would void any sentence given as a result. 



  • @galgorah said:

    "...oops, I had to format." is all the excuse one would need.  nevermind the lawsuit over violation of constitutional rights would void any sentence given as a result. 

    The thing about that is that they could try to use that against you in court with the argument of, "If you weren't guilty, why'd you format your drive and eliminate any potential evidence?" Sure, it's technically unsound, but since when has any legal system followed any good logic?



  • Maybe you should go to a doctor and ask for a referral to a good psychotherapist. You seem to have some issues with paranoia.



  • @dohpaz42 said:

    @galgorah said:
    "...oops, I had to format." is all the excuse one would need.  nevermind the lawsuit over violation of constitutional rights would void any sentence given as a result. 
    The thing about that is that they could try to use that against you in court with the argument of, "If you weren't guilty, why'd you format your drive and eliminate any potential evidence?" Sure, it's technically unsound, but since when has any legal system followed any good logic?

    They could try that yes.  But there are tons of legit reasons to format a hard drive.  Mangled windows install, corrupt filesystem, or even just general cleanup.  I for example format and reinstall every six months just to start over with a clean slate.



  • @dohpaz42 said:

    @galgorah said:
    "...oops, I had to format." is all the excuse one would need.  nevermind the lawsuit over violation of constitutional rights would void any sentence given as a result. 

    The thing about that is that they could try to use that against you in court with the argument of, "If you weren't guilty, why'd you format your drive and eliminate any potential evidence?" Sure, it's technically unsound, but since when has any legal system followed any good logic?

    Of course, the obvious answer is, "My computer was acting weird, and I thought I had a virus. Formatting the hard drive is the only non-nuclear way to be sure." It would be up to the jury (judge? I don't know enough about German legal process to say) to decide if you were telling the truth or what. Of course, you really did have some malware.



  • @boomzilla said:

    Of course, the obvious answer is, "My computer was acting weird, and I thought I had a virus. Formatting the hard drive is the only non-nuclear way to be sure." It would be up to the jury (judge? I don't know enough about German legal process to say) to decide if you were telling the truth or what. Of course, you really did have some malware.

    Sure, you and I both know this, but a jury might not - and I'm sure the prosecution would try to spin it as something malicious on the defendant's part. Plus, if you're truly trying to remove this malware, and traces of other "stuff", wouldn't you want to also securely wipe the free space/drive with all zeros? In which case, this could potentially make you look more guilty: "If all you were trying to do was remove a virus, why then did you wipe the drive with all zeros?" Either way, it's not necessarily about proving guilt or innocence, but rather "reasonable doubt", in which was it more likely that you could be telling the truth, or more likely that you're lying? There is a huge gap between those two trains of thought.



  • @boomzilla said:

    It would be up to the jury (judge? I don't know enough about German legal process to say) to decide if you were telling the truth or what.
     

    In this case, it would be several judges. I'm too lazy to look up the details, but iirc, for major felonies, the courts have five (professional) judges.

    There are no juries in the German legal system, but the lower-rank courts have lay-judges (Schöffen) in addition to the professional judge(s), which theoretically can overrule the pros by majority, but usually they just agree to what the pros say.



  • @blakeyrat said:

    Seriously though, good WTF. And your writing/formatting is fine. Why would they write their own HTTPS-esque protocol instead of using, say, HTTPS? Crazy.

    "Because TLS is slow! It adds like, half a second, to the response time! I'm just going to roll my own encryption scheme..."



  • @dohpaz42 said:

    @boomzilla said:
    Of course, the obvious answer is, "My computer was acting weird, and I thought I had a virus. Formatting the hard drive is the only non-nuclear way to be sure." It would be up to the jury (judge? I don't know enough about German legal process to say) to decide if you were telling the truth or what. Of course, you really did have some malware.

    Sure, you and I both know this, but a jury might not - and I'm sure the prosecution would try to spin it as something malicious on the defendant's part. Plus, if you're truly trying to remove this malware, and traces of other "stuff", wouldn't you want to also securely wipe the free space/drive with all zeros? In which case, this could potentially make you look more guilty: "If all you were trying to do was remove a virus, why then did you wipe the drive with all zeros?" Either way, it's not necessarily about proving guilt or innocence, but rather "reasonable doubt", in which was it more likely that you could be telling the truth, or more likely that you're lying? There is a huge gap between those two trains of thought.

    Yes, that's what I said. You'd have to convince them (judges in this case, apparently). Of course, the assumption here is that you really did do it to cover up your nefarious activity, so stop being an asshole and own up to your malfeasance! After all, why would they arrest you if you weren't guilty?



  • @boomzilla said:

    After all, why would they arrest you if you weren't guilty?

    Sadly there is so much truth in that one little rhetorical question. :(



  • @dohpaz42 said:

    @boomzilla said:
    After all, why would they arrest you if you weren't guilty?

    Sadly there is so much truth in that one little rhetorical question. :(

    That was basically the sole argument ("who has nothing to hide has nothing to fear") for our Internet censorship / surveillance of child porn websites. Okay, there also was the "to protect the victims" one, but that makes a similar amount of sense. I'm pretty sure* the "stop sign trap" so far only caught complete idiots and people who opened such a site on accident (however that happened. maybe through a troll link).





    * I don't have any real knowledge of who or if anyone got caught through this.



  • @dohpaz42 said:

    Sure, you and I both know this, but a jury might not - and I'm sure the prosecution would try to spin it as something malicious on the defendant's part. Plus, if you're truly trying to remove this malware, and traces of other "stuff", wouldn't you want to also securely wipe the free space/drive with all zeros? In which case, this could potentially make you look more guilty: "If all you were trying to do was remove a virus, why then did you wipe the drive with all zeros?" Either way, it's not necessarily about proving guilt or innocence, but rather "reasonable doubt", in which was it more likely that you could be telling the truth, or more likely that you're lying? There is a huge gap between those two trains of thought.

    Yep. You are probrably better off acting more mainstream: "My computer was acting up so I threw it in a dumpster".



  • @geocities said:

    how exactly can they be so sure they found the Bundestrojaner? It could as well be some other piece of malware.

    My thoughts exactly. As far as I'm aware, this has not been confirmed to be Bundestrojaner.

    Furthermore, CCC people's claims that this is "bad code" are based on them having reverse-engineered what the code may look like, which doesn't really prove much. There's a strong whiff of publicity-seeking about the whole thing.



  • @geocities said:

    If the remote control server is located in Ohio, then how exactly can they be so sure they found the Bundestrojaner? It could as well be some other piece of malware.

    According to the CCC article, "To avoid revealing the location of the command and control server, all
    data is redirected through a rented dedicated server in a data center in
    the USA."   Whether or not this is actually true, I don't know.  And the whole thing is somewhat suspicious since they say "It has been found in the wild and submitted to the CCC anonymously".   But if you're doing something of questionable legality, routing it through a different country is sometimes an option people choose.

     



  • @bertram said:

    My thoughts exactly. As far as I'm aware, this has not been confirmed to be Bundestrojaner.

     

    It has been confirmed by bavarian minstry of the interior  that the trojan was used by bavarian police. CCC claims that it was used in other german countries as well.

    So not exactly the "Bundestrojaner" (federal trojan) but a bit more than only a "Bayerntrojaner" (bavarian trojan).

     

    @bertram said:


    Furthermore, CCC people's claims that this is "bad code" are based on them having reverse-engineered what the code may look like, which doesn't really prove much. There's a strong whiff of publicity-seeking about the whole thing.

    They have not only analysed the assembler code, they have also created a "Control GUI" to show how to remote-control the bad behaviour of the trojan.

    Some other articles in english language:

    Electronic Surveillance Scandal Hits Germany

    Article on redtape.msnbc

    Article on ZDnet



  • Well to be fair it could just be a beta, and they're still awaiting the final solution.



  • @Tessellated Cheese said:

    Well to be fair it could just be a beta, and they're still awaiting the final solution.

     

    hardy har har... those wacky nazis are coming back!

     



  • @ekolis said:

    @Tessellated Cheese said:
    Well to be fair it could just be a beta, and they're still awaiting the final solution.
    hardy har har... those wacky nazis are coming back!

    THREAD BANNED IN GERMANY



  • @blakeyrat said:

    @ekolis said:
    @Tessellated Cheese said:
    Well to be fair it could just be a beta, and they're still awaiting the final solution.
    hardy har har... those wacky nazis are coming back!

    THREAD BANNED IN GERMANY

     

     


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.