(I apologise in advance for awkward language and formatting. The former is because I'm German, the latter I'll blame on community server. Or vice versa. I'm not sure yet.)
Hey, have you heard of the Bundestrojaner? You know, the piece of spyware commissioned by the German government to aid in police work (i. e. to spy on people suspected of criminal behaviour)? Oh, don't be silly, of course you have.
Well, it seems our friends at the Chaos Computer Club have gotten a hold of it and did some analysis, and they did... really not like what they saw. Turns out that in addition to being brazenly illegal, the whole thing appears to have been written by a high school student over the course of an afternoon. The report is all in German, sadly, but here are some of the highlights for you silly foreigners:
- They seem to have judged HTTPS to be insufficient for their purposes and created some kind of homebrew communication protocol. So all it takes to completely neuter it is a firewall rule.
- The IP of the command and control server is hardcoded. It's 207.158.22.134, if you're curious. No, that's not a German IP. It's in Ohio, evidently.
- There is an authentication channel and everything, but the password is - you guessed it - hardcoded. It's C3PO-r2d2-POE, which kind of makes it even worse.
- Wait, did I say a password was required for issuing commands? No, it's not. The password is only used for answers from the trojan. If you want to issue commands (or hijack the trojan), you... pretty much have to know that it's running on the target machine, and... uhm, that's it.
- The trojan does use AES encryption for its responses, but it's painfully obvious that this was only done to tick off the box on the requirements chart. To wit: The key is always the same (and hardcoded) without such luxuries as "session IDs"; commands sent to the Trojan do not need to be encrypted (again, only responses are in any way protected) and, oh, due to the broken implementation, identical input always leads to identical output. My crypto-literate friends tell me this is bad.
So what would you have to know to conduct an attack? Let's say, hijack a machine running this? Well:
- You have to know the machine is running it
- You have to know the name of the command that downloads and installs software (it's \x0e)
... and yeah, that's it, actually. If you speak German, I highly recommend reading the report. At least... at least it's easy to detect and remove the Bundestrojaner, I guess?