Quellen TKÜ sunk by CCC
>The largest European hacker club, “Chaos Computer Club” (CCC), has reverse engineered and analyzed a “lawful interception” malware program used by German police forces. It has been found in the wild and submitted to the CCC anonymously. The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs. Significant design and implementation flaws make all of the functionality available to anyone on the internet.
Even before the German constitutional court (“Bundesverfassungsgericht”) on February 27 2008 forbade the use of malware to manipulate German citizen’s PCs, the German government introduced a less conspicuous newspeak variant of the term spy software: “Quellen-TKÜ” (the term means “source wiretapping” or lawful interception at the source). This Quellen-TKÜ can by definition only be used for wiretapping internet telephony. The court also said that this has to be enforced through technical and legal means.
The CCC now published the extracted binary files  of the government malware that was used for “Quellen-TKÜ”, together with a report about the functionality found and our conclusions about these findings . During this analysis, the CCC wrote its own remote control software for the trojan.
The CCC analysis reveals functionality in the “Bundestrojaner light” (Bundestrojaner meaning “federal trojan” and is the colloquial German term for the original government malware concept) concealed as “Quellen-TKÜ” that go much further than to just observe and intercept internet based telecommunication, and thus violates the terms set by the constitutional court. The trojan can, for example, receive uploads of arbitrary programs from the Internet and execute them remotely. This means, an “upgrade path” from Quellen-TKÜ to the full Bundestrojaner’s functionality is built-in right from the start. Activation of the computer’s hardware like microphone or camera can be used for room surveillance.
The analysis concludes, that the trojan’s developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court. On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.
“This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired,” commented a CCC speaker. “Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system.”
The government malware can, unchecked by a judge, load extensions by remote control, to use the trojan for other functions, including but not limited to eavesdropping. This complete control over the infected PC – owing to the poor craftsmanship that went into this trojan – is open not just to the agency that put it there, but to everyone. It could even be used to upload falsified “evidence” against the PC’s owner, or to delete files, which puts the whole rationale for this method of investigation into question.