

The trojan eavesdrops on anything on this list Virus analysts at Kaspersky Labs have discovered a new version of a trojan written for the German government by Digitask. It supports 64-bit versions of Windows and is able to monitor many more applications. The "big brother" of the trojan analysed by the Chaos Computer Club (CCC) is made up of five files. They were found in an installation program by the name of scuinst.exe (Skype CaptureUnit Installer), recently detected by F-Secure.

In addition to Skype, the list of processes monitored by the trojan includes other voice over IP applications, browsers, and email and instant messaging clients. The full list is:

explorer.exe

firefox.exe

icqlite.exe

lowratevoip.exe

msnmsgr.exe

opera.exe

paltalk.exe

simplite-icq-aim.exe

simppro.exe

sipgatexlite.exe

skype.exe

skypepm.exe

voipbuster.exe

x-lite.exe

yahoomessenger.exe

The researchers also discovered a 64-bit driver signed using a certificate issued by fictitious CA Goose Cert; 64-bit versions of Windows will not load unsigned drivers. A normal copy of Windows will not accept the fake certificate, meaning that the installation process also has to modify Windows' certificate store – how it does this is not yet known. It is, however, becoming increasingly clear that anti-virus software is not going to be able to protect users from state-sponsored trojans of this type. Anyone with the capability to modify the certificate store is unlikely to have too much difficulty bringing obstreperous anti-virus software into line.

The Digitask development team also seems to have cribbed additional rootkit techniques and, in addition to the familiar AppInit technique, appears to have implemented a new method of activating the trojan library with the target process' privileges.

See also:

(crve)