Lessons in Trust and Malicious Code from the Staatstrojaner
Since it is Halloween we will beat an undead horse in our blog today. Zombies are all the fashion both in literature and on your computer. The question is: Are all zombies alike? Are there good and bad zombies, or only bad ones? How can you distinguish between good and evil intentions if all you got is a compromised system?
It all boils down to trust, and the zombie in question is (again) the German Federal Trojan („Staatstrojaner“). The German magazine Telepolis published an article that compares the statement of Jörg Ziercke, the head of the German Federal Criminal Police Office (Bundeskriminalamt or BKA), to the words of Rudyard Kipling’s python Kaa. The basis for this analogue are Mr. Ziercke’s claims stem from leaked notes of his speech in the commission of the German parliament where the state-sponsored malicious software was discussed. The Telepolis article focuses on the issue of trust and the mechanism that allows the malware to download additional code once it is installed and to manipulate data on the target system arbitrarily. The relevant passage in the text translates as follows:
„…The update mechanism assures the security and the functionality of the Quellen-TKÜ-Tool [the Trojan horse used for eavesdropping on communication at the source]. It guarantees that the surveillance tasks mandated by the court order can be put into effect without interruption. Any speculation about illegal activities by use of the update mechanism performed by government authorities is totally unfounded. This fundamental distrust would mean that any means undertaken by the police is suspect to manipulation: incorrect observation protocols, planted pieces of evidence during searches for drugs, adding a couple of kilograms [of drugs], suppressed witness statements, etc.. Whoever has this picture of a police in a lawless state in mind can surely not live in Germany.“
While we won’t delve into a political discussion (the original articles quotes cases where the German BKA really did fake evidence), we can concentrate on the issue of trust and discuss the implications for security. In essence we have a tool that can be used to compromise and remote control a computer system. By using the control channel you can inject arbitrary code modules and you can modify any data on the targets system. Since all of this is done without the owner’s consent or even knowledge, we have all the signs and symptoms of a thoroughly untrusted system. Your system is basically a zombie. If you extend the C&C to handle lots of clients and use suitable attack/infection vectors, you have a botnet. Talking about trust at this point makes no sense at all. You have a compromised system, and from the standpoint of a security administrator there is not trust any more. It doesn’t matter who did the compromise, and it doesn’t matter what the intention was. The damage has been done. There is no way to reinstate a trust relationship.
Security researchers have tried this argument in other scenarios. A few years ago there was a discussion about worms that automatically propagate, attack vulnerable systems and patch them. While the intention is very honourable, it’s still a breach and a compromise. The very same applies to the Backdoor:W32/R2D2.A malware. It is an attack tools to compromise and manipulate data. There is no other way to see it. Or what would you think if you came home and found the locks of your apartment door breached and manipulated?