Hamburg - Antivirus software developer Kaspersky reports it has made a significant discovery when analysing another version of the German government surveillance programme. The programme, which was evidently developed by DigiTask, can spy on more programmes than the Bavarian Trojan identified by the Chaos Computer Club hacking group. Apparently, the malware is also able to infiltrate more recent operating systems. The lawyer representing DigiTask told Spiegel Online that the company clearly designed the software, but neglected to confirm when and to whom the spyware was supplied.
"We are aware of this version," said Frank Rieger from the Chaos Computer Club (CCC). "However, as yet we have no concrete evidence of where this spyware may have been used and therefore we have refrained from going public." According to the CCC, the malware programme it discovered is insecure and basically makes it possible to put a computer under complete surveillance (1). For this reason, the Bundestag discussed the issue no less than three times on Wednesday [19 October].
It seems that an unknown person uploaded the new malware programme on to the virustotal.com platform several times between December 2010 and October 2011. This site allows suspicious files to be scanned for viruses and antivirus software manufacturers obtain information concerning new dangers from this source. Helsinki-based F-Secure was the first company to establish a link between the files and the government spyware programme.
New Trojan Horse Can Also Monitor Web Browsers
F-Secure established the connection (2) from the name of an installer file among other things: "scuinst.exe," which stands for "Skype Capture Unit Installer" [as received]. This is the name of a surveillance programme described in a document from the Bavarian Ministry of Justice. The document provides a breakdown of costs for the spyware. At the time, the Bavarian Justice Ministry did not confirm the document was genuine, but failed to identify it clearly as a fake.
In addition, the software Kaspersky examined uses the same code to encrypt communication with the control server (3). "It has the same integrated key as the Bavarian Trojan horse," says Frank Rieger. In the past three years, Bavaria deployed the spyware 25 times, while it has apparently been used approximately 100 times at a national level. The authorities say the software is customized to comply with legal requirements.
Kaspersky's technicians believe they are dealing with the "big brother" to the government spyware investigated by the CCC that was used for unlawful surveillance in Bavaria, according to the district court of Landshut. The new edition differs from the CCC version on the following points:
- The state spyware analysed by Kaspersky can also run on 64-bit versions of Windows systems. Contrary to the version investigated by the CCC, its "big brother" carries a digital signature.
- According to Kaspersky, the new version monitors more programmes than the Trojan examined by the CCC.
State Spyware Also Targets Web Browsers
Kaspersky identified a total of 15 programmes monitored by the Trojan, including:
- Web browsers: Opera, Firefox, and Internet Explorer
- SimpPro encryption programme for chat clients
- Voice over Internet Protocol (VoIP) programmes: X-Lite, VoipBuster, LowRateVoip, Skype, and Sipgate X-Lite
- Chat clients for services like ICQ, MSN, and Yahoo Messenger
In particular, the surveillance of web browser activities could make the use of this software unlawful because the framework for so-called "source telecommunication surveillance" only allows investigators to wiretap telecommunications as they occur. For example, when someone types an email in a browser window and the state spyware records this process with a number of screen shots, this is illegal: for so long as the email remains unsent, the person under surveillance has not communicated.
Remote Online Searches Only in Exceptional Cases
In such cases, it is very easy for surveillance to degenerate into a remote online computer search - and this is banned by a ruling from the Federal Constitutional Court (4) on the so-called basic computing rights. The Federal Office of Criminal Investigation (BKA) and investigators in Rhineland Palatinate and Bavaria can only conduct such searches under strict conditions.
The Federal Constitutional Court rules that its use is only permitted when there is factual evidence that a real danger to life or limb or individual freedom exists, or for such "interests of the public, a threat to which affects the basis or continued existence of the state or the basis of human existence."
The software Kaspersky has now analysed indicates that state spyware programmes with functions going beyond source telecommunication surveillance are more widespread than previously thought. There are several possible explanations for this. The software examined by Kaspersky:
- was used by investigators in the context of a remote online search;
- was used for source telecommunication surveillance, but was able to do more than permitted in such circumstances - like the state Trojan already deployed in Bavaria;
- was not used by German investigators and was uploaded onto the virustotal.com website for as yet unknown reasons. Besides the German federal and state authorities, DigiTask also supplied the Trojan spyware to Austria, Switzerland, and the Netherlands.
If the software under scrutiny was deployed to monitor source telecommunications, then it brings into question the attempts being made to explain the Bavarian case. So far, state politicians and law enforcement authorities have maintained that there was not just one single state spyware programme. The software was ordered on a case-by-case basis, according to the surveillance conditions outlined by the court.
Do State Spyware Programmes Go Beyond Legal Guidelines by Default?
If more state spyware programmes that routinely monitor beyond the legal guidelines were now to surface, then the explanation that this was an exception to the rule would no longer be tenable. It remains unclear how investigators and spyware providers collaborate on these projects. According to the Spiegel Online's sources, a closed meeting held by the domestic affairs committee revealed that the federal authorities had had no access to the source code of the spyware programme they used. The Bavarian case was not specifically discussed.
Last week, the Federal Chancellery's Intelligence Services Coordinator Guenter Heiss told the Stuttgarter Nachrichten that the state authorities would have purchased "multi-functional template programmes" from the relevant suppliers. These templates would have had more features than is legally permitted. "Each surveillance programme is customized for the system the authorities want to penetrate," said Heiss. "Therefore, it is not just this Trojan horse that is used and that can do everything, thus falling outside the law."
In response to a question as to which law enforcement agencies this applied, the Federal Chancellery replied that "Herr Heiss' comments leave nothing to add."
(4) http://www.spiegel.de/netzwelt/netzpolitik/0,1518,791477-3,00.html [in German]