European hacking group Chaos Computer Club claims to have successfully reverse engineered samples of German Police's lawful intercept malware, known as Quellen-TKÜ, finding that besides eavesdropping on Skype conversations it is also capturing screenshots and logging keystrokes.
The trojan was first disclosed in court documents from 2007 and was designed with the primary task of assisting German Police overcome Skype encryption where an intercept warrant had been granted by a judge. The German government endorsed the usage of Quellen-TKÜ to legally wiretap internet communications only, but the hacker group's analysis of several samples received shows the malware goes well beyond its intended usage.
Analysis showed that Quellen-TKÜ was built from the outset to receive uploaded data, contained remote execution capability and was capable of utilising attached devices like microphones and webcams for surveillance purposes. “The design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer," CCC said in statement released on its website.
"Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system," the group commented.
CCC's investigations also found the malware to be poorly secured. The security level this trojan leaves infected systems in is comparable to setting all passwords to '1234', they said. Screenshots and audio files meant to be sent to authorities were poorly encrypted before passing through U.S. data centers. Meanwhile, the commands from the control software used by authorities to control the trojan were also completely unencrypted, which could allow someone to take control of the computer in question or send falsified information back to authorities.
Security vendor Sophos yesterday confirmed the findings and said the trojan could also be used to intercept communications over Skype, MSN and Yahoo messenger services. They also confirmed it could log keystrokes used in Firefox, Opera, Internet Explorer and Sea Monkey browsers, take screenshots and record the audio of Skype calls.
Sophos was keen to point out that although they were able to confirm the group's analysis was correct, it is impossible to know for certain if the additional capabilities had been written with consent from the German government.