About two weeks ago word got out that the Chaos Computer Club got their hands on what they identified as a German state-sponsored trojan. The initial analysis assumed that the trojan would only run on 32-bit Windows systems and we reviewed a software that detects the trojan on systems.

Two weeks later things have changed considerable. Several German states acknowledged that the backdoor was used by German police forces to spy on communication software installed on computers. According to the news, spyware programs were in use since 2009.

The initial analysis of the contents was far from complete. Security experts at F-Secure and Kaspersky posted the results of their analysis recently which offer a more detailed view of the malware's capabilities.

Kaspersky discovered that the trojan installer supports both 32-bit and 64-bit Windows operating systems. Experts previously assumed that only 32-bit systems could be targeted by it.

The second finding is a list of applications that the trojan has been designed to monitor. This list is larger than the initial list that the Chaos Computer Club published. A total of 15 applications are listed, including Firefox, Explorer, Opera, Skype, Microsoft Messenger, ICQ and Yahoo Messenger.

The trojan injects code into those processes:

Code injection into target processes is carried out by the dropper, two user-mode components and also a 32 bit kernel driver with extended functionality compared to the version previously analyzed, which only provided an interface for registry and file system modifications. This new driver starts an additional thread that constantly loops over the current list of running processes and injects a DLL into each whose image name matches an entry from the following list:

The 64-bit Kernel driver is limited in its functionality compared to the 32-bit component.

Contrary to the 32 bit version, the 64 bit driver does not contain any process infection functionality but only provides a rudimentary privilege escalation interface through file system and registry access. Similar to its brother, it creates a device and implements a basic protocol for communicating with user-mode applications.

Kaspersky identified the a 1024 bit RSA certificate issued by Goose Cert on April 11, 2010.

The F-Secure blog has more information on how the backdoor was installed on target systems.

In one case, the trojan was installed on a suspect's laptop while he was passing through customs & immigration at the Munich International airport.

The existence of a 64-bit component, the monitoring of additional processes and information on how the trojan was installed on systems confirms that there has been more to that state sponsored trojan than initially assumed. The majority of security software available should detect the backdoor by now.

Advertisement