Now whilst we wouldn’t quite expect that kind of oppressive behaviour from a country like Germany, they do seem to have a law enforcement monitoring trojan which is pretty nasty.

The trojan was initially examined by the infamous hacking group from Germany itself – Chaos Computer Club (CCC) and was apparently first discovered by Kaspersky Lab.

A Trojan used by German law enforcement authorities to intercept Internet phone calls is capable of monitoring traffic from 15 programs, including browsers and instant messaging applications.

The discovery was made by malware analysts from antivirus vendor Kaspersky Lab, who took apart the so-called lawful surveillance software, dubbed 0zapftis, Bundestrojaner or R2D2 by the security community. The Trojan was initially analyzed by famous German hacker collective the Chaos Computer Club (CCC), which determined that Skype is one of its targets.

The Trojan’s installer deploys five components, each with a different purpose, and Kaspersky has analyzed all of them, said Tillmann Werner, a security researcher with Kaspersky in Germany.

“Amongst the new things we found in there are two rather interesting ones: Firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows,” he said. “Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.”

The trojan seems quite complex and technically quite adept – it had the capability to deploy various components in both 32-bit and 64-bit Windows operating systems.

It can infect 15 different applications, most of which are quite commonly found and prevalent on the majority of Windows based machines. Instant messaging (IM) software such as MSN Messenger, Yahoo! Messenger, Skype are covered and the major browsers (IE, Firefox and Opera).

It’s surprising to see Chrome is not in the list, it could be an editorial exclusion or it could just be the fact that Chrome is in fact pretty secure and they weren’t able to hijack it successfully.

The list of targeted applications includes major browsers, including Internet Explorer, Firefox and Opera, as well programs with VoIP and data encryption functionality, including ICQ, MSN Messenger, Yahoo Messenger, Skype, Low-Rate VoIP, CounterPath X-Lite and Paltalk.

On 32-bit Windows systems the Trojan uses a kernel-mode rootkit that monitors targeted processes and injects rogue libraries into them. However, on 64-bit platforms, the system driver is much more basic and only serves as an interface to modify registry entries or the file system.

Furthermore, it is signed with a certificate that isn’t trusted under Windows by default. This means that deploying the Trojan requires user confirmation, which might not necessarily be a problem for authorities, because they reportedly install it during border searches or similar interventions.

Kaspersky said its products detected the Trojan installer heuristically even before a sample was analyzed and signatures were added for it. However, those tools may not help if outsiders can manually add an exception in the program. Computer users can prevent outsiders from doing this by using a password to protect their antivirus configurations, and most products offer this option.

It seems though the trojan isn’t intended to be spread over the Internet or via networks, or in fact any self-propagating method. Which is good…

The law enforcement agency would plant the trojan during a raid/border search or so on. It certainly does seem effective, but then again Kaspersky detected it as malware before they even added a signature for it – which makes me suspect it could well be using components from other pre-existing malware.

We did report on what probably became this project back in 2008 when it first started – German Police Creating Law Enforcement Trojan.

Source: Network World

Malware authors are getting sneaky again, in the latest turn of events they have started encrypting your files and holding them at ransom!

You have to pay up to get the ‘decryptor’ and get access to your files again. This is pretty dangerous…and cunning too. It’s not easily broken either, they are using RSA 1024-bit encryption!

Kaspersky Lab found a new variant of Gpcode, a dangerous encryptor virus has appeared, – Virus.Win32.Gpcode.ak. Gpcode.ak encrypts files with various extensions including, but not limited, to .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more using an RSA encryption algorithm with a 1024-bit key.

Kaspersky Lab succeeded in thwarting previous variants of Gpcode when Kaspersky virus analysts were able to crack the private key after in-depth cryptographic analysis. Their researchers have to date been able to crack keys up to 660 bits. This was the result of a detailed analysis of the RSA algorithm implementation. It has been estimated that if the encryption algorithm is implemented correctly, it would take 1 PC with a 2.2 Ghz processor around 30 years to crack a 660-bit key.

It’s pretty smart going after the files that users are most likely to value, I was surprised to see .cpp and .h in there, but I guess the malware being written by programmers they would see those files as valuable too.

I wonder if Kasperky will be able to bust open this 1024-bit private key, so far they haven’t and honestly – I’m not hopeful.

At the time of writing, Kaspersky researchers are unable to decrypt files encrypted by Gpcode.ak since the key is 1024 bits long and they have not found any errors in implementation yet. Thus, at the time of writing, the only way to decrypt the encrypted files is to use the private key which only the author has.

After Gpcode.ak encrypts files on the victim machine it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor.

So watch out (not that I need to tell you guys) and make sure your non-savvy friends understand the dangers of surfing carelessly and downloading nonsense without checking the source properly.

Having your important files end up in an encrypted container isn’t pretty…yes you could have some back-up system in place, but what’s the chance of you spotting the files before your backup runs? After that you are just backing up the encrypted files anyway..

Source: Net Security