German Federal Trojan Eavesdrops on 15 Applications

October 19, 2011 — IDG News Service — A Trojan used by German law enforcement authorities to intercept Internet phone calls is capable of monitoring traffic from 15 programs, including browsers and instant messaging applications.

"Amongst the new things we found in there are two or rather interesting ones: Firstly, this version is not only capable of running on 32 bit systems; it as well includes support for 64 bit versions of Windows," he said. "Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various elements is 15 in total."

The list of targeted applications includes major browsers, including Internet Explorer, Firefox and Opera, as then programs with VoIP (Voice over Internet Protocol) and data encryption functionality, including ICQ, MSN Messenger, Yahoo Messenger, Skype, Low-Rate VoIP (Voice over Internet Protocol), CounterPath X-Lite and Paltalk.

On 32-bit Windows systems the Trojan uses a kernel-mode rootkit that monitors targeted processes and injects rogue libraries into them. Nevertheless, on 64-bit platforms, the system driver is much more basic and only serves as an interface to modify registry entries or the file system.

Furthermore, it is signed with a certificate that isn't trusted pursuant to this agreement Windows by default. This means that deploying the Trojan requires user confirmation, which might not necessarily be a problem for authorities, because they reportedly install it while border searches or similar interventions.