Analysis of Governmental Malware
There is a ongoing discussion about the use of malicious software for criminal investigations. German and Austrian agencies use the term „Online-Durchsuchung“ (online search) or „Quellen-Telekommunikationsüberwachung“ (source telecommunications surveillance) for investigative measures that cover the source of telecommunication messages (which is usually a suspect’s computer or telephone). In context with malicious software used for this purpose the unofficial term „Bundestrojaner“ (federal trojan horse) was coined. On 27 Februar 2008 the German Federal Constitutional Court ruled that the online search and Internet surveillance rules violate the German constitution and have to be reviewed (you can read the explanation of the Court in German here). Yesterday the Chaos Computer Club (CCC) published a detailed analysis of a „lawful interception malware“. The results have a profound impact on security since the design of the malware allows attackers to exploit the communication channel and completely subvert the purpose of the code.
The software consists of a dynamic link library (DLL) communicating with a hard-coded command & control server. It is a kernel module, and it does not try to camouflage itself. The DLL was only in 32-bit code and not signed. A 64-bit variant may exist. Sophos has already issued the signature and description Troj/BckR2D2-A. The C&C server is was hosted at a server farm of Web Intellects in Columbus, Ohio. The protocol uses port 443/TCP, but it does not use SSL/TLS. A custom designed protocol is used for communication which has some serious weaknesses.
- It uses AES with ECB mode.
- There are no session keys. There is only one hard-coded key for AES encryption (published in the CCC evaluation document).
- The agent encrypts data to the C&C server, but the C&C server does not encrypt commands sent to the client. Commands are sent in clear text.
- The communication protocol does not use any authentication except for a banner string (C3PO-r2d2-POE).
Gathering from these facts it is certain that this protocol can be attacked, hijacked and exploited by almost any attacker. The software offers a method of sending additional code modules to the client, so that the capabilities of the agent can be modified. Combined with the weak communication protocol attackers can easily detect and compromise systems. By itself Troj/BckR2D2-A can
- eavesdrop on communication routed by Skype (including recording of Skype audio calls), MSN Messenger & Yahoo! Messenger,
- take screenshots and send them to the C&C server,
- received, store and execute code/data and
- log keystrokes .
Since the CCC got the code from an anonymous source there is no proof that Troj/BckR2D2-A is really the or a „Bundestrojan“ – yet. Nevertheless the code illustrates that it is malicious software regardless of the original intent. Sophos has explained that they had no other choice than to add the signature of the code and label it trojan and backdoor: „If the authorities want us to not detect their malware, the onus is on them to try to write something that we can’t detect, not for us to cripple our software.“ When it comes to terms of securing your infrastructure (no matter as a person, company or any other organisation), then there really is no „good malware“. Every malicious software exploits and introduces weaknesses into your collection of security measures. If you turn a blind eye to a single attack vector, your risk for compromise increases.
We like to discuss the implications of Troj/BckR2D2-A at DeepSec 2011. If you have some more code to analyse, bring it, too.