State-Sponsored Malware Revealed in Europe

Europe's largest “white hat” hacker group, the Chaos Computer Club (CCC), recently reverse engineered and analyzed an anonymously submitted malware program. Nothing out of the ordinary for security researchers. However, to its surprise, the group discovered this particular malware was commissioned by German police and used to spy on German citizens.

As if state-sponsored eavesdropping were not enough, this malware has also been found with remote control or backdoor functionalities that enable the uploading and executing of other programs, including the siphoning of personal data. Most concerning is the news that a laptop had the malware added by the German authorities when the user passed through customs at an airport.

This is not the first time German government agencies have been caught in the act of citizen surveillance, although legislation passed in February 2008 stated that wiretapping would only be permitted with a court order. Many other countries, including the US, have similar rules. The German action followed the leaking of documents revealing via Wikileaks that the Bavarian police had commissioned the home-based security firm DigiTech to design a Trojan for its own use.

What the CCC report and others show is that the Trojan program, Backdoor:W32/R2D2.A (also known as 0zapftis), was being used to go much farther than plain wiretapping.

There is a feeling of déjà vu about this story, especially as F-Secure Corp. chief researcher Mikko Hypponen has stated that his company has never been asked by any government to avoid detecting its backdoors, or botnets. But there is a moral dilemma here: What should security researchers do if asked by a government to ignore malware they have detected?

So with several German states admitting their use of the program and suggestions that the Dutch government bought it, there can be little doubt of the spy software’s extensive use.

These are very murky waters. The Wall Street Journal recently reported about spy technology sold by the West that helped Gadhafi spy on Libyan citizens. Meanwhile, the UK firm Gamma International denied in a BBC Radio program that it supplied its FinFisher (digital intrusion) product to the former Egyptian government, despite invoices and Gamma International paperwork being discovered.

It also is known that this toolkit, based on a rip-off of a well-known cybercrime exploit kit, is used globally by regimes many would view as oppressive to penetrate PCs and computer systems. And perhaps for the first time, it appears FinFisher may have cost the lives of a few of those who were intruded upon, as one Egyptian opposition spokesman pointed out to the BBC.

The EU parliament recently approved the banning of spyware exports to repressive regimes amid concerns about new technologies used to repress citizens. However, there are no military bans for online digital weapons -- further evidence of the failure of many governments to keep pace with technology. Some governments may also be heavily influenced by the lobbying of their intelligence agencies.

The FBI, for example, was one of the first to have a tool specially designed for intelligence purposes. Carnivore, a packet sniffer, was used extensively between 1997 and 2005 to monitor suspicious traffic and has since been replaced with newer technologies, including Redwolf. The Electronic Frontier Foundationhas stated that the FBI has been known to “mislead” the courts about levels of its digital surveillance activities.

Meanwhile, a recent letter from Senators Ron Wyden and Mark Udall to Attorney General Eric Holder suggests that the public is totally unaware of the true nature of government surveillance.

The use around the globe of remote forensic tools for surveillance is extensive and challenges traditional legislation. Even when that legislation exists, it is clear that it’s now not only the cybercriminals who pay little attention to the rules. Those involved in enacting and supplying state-sponsored surveillance walk a tightrope until a public outcry wobbles the rope.

Ultimately, although we can debate about our civil rights or whether it is reasonable for malware, botnets, DDoS, data hacks, and the gamut of cybercriminal tools to be extensively utilized by our governments and law enforcement agencies, how far do we go in assuming that each and every one of those is used with righteous intent? Who decides? And where is the rule of law?