Gulli.com invited me for an interview for their online news portal and asked some questions aboug the Skype trojan, trojans in general etc. Enjoy and of course leave comments.
Superintendent trojan – A programmer speaks out
For about seven years, Ruben Unteregger has worked as a software-engineer for the Swiss company ERA IT Solutions. His job there was to code malware that would allow to invade PCs of private users. ERA IT Solutions should in particular be involved in constructing trojans which allow the wiretapping of VoIP calls. If he doesn’t want to pay a penalty for breach of contract, he has to remain silent about the customers of the company. Simultaneously to this Interview, Mr. Unteregges wants to publish the source code of his trojan and make it available to the public.
ghandy/gulli.com: Please introduce yourself to our readers.
Ruben Unteregger: My name is Ruben Unteregger, I’m 33 years old and a sysadmin and programmer. I’m in my sabbatical.
ghandy/gulli.com: According to Wikipedia, the swiss company ERA IT Solutions should already participate in the development of a trojan to wiretap VoIP-conversations since 2006. Is this right?
Ruben Unteregger: After the Swiss “Sonntagszeitung” had published a news article in October 2006 about a trojan which would allow the wiretapping of secure Sype conversations and that the UVEK (Departement für Umwelt, Verkehr und Kommunikation) had already shown interest in it, the public wanted to know more. The news that the state wanted to use technologies which until this time were only known from a negative context and used by cyber criminals caused a lot of discussion and a need for clarification. ERA IT Solutions AG then confirmed the existence of such a software in an interview.
ghandy/gulli.com: You say that while you worked for ERA IT Solutions under consignment of the German Federal Police (Bundeskriminalamt/BKA) you were entrusted with the development of a trojan. How did you get in touch with this company?
Ruben Unteregger: If i had said it this way, the ice under my feets would be cracking heavily. I have a secrecy agreement with ERA IT about the works on the wiretapping software. This is not uncommon when sensitive data and information is involved in projects. I haven’t said that there was a cooperation between ERA IT and the BKA. According to news articles the BKA was searching for people with relevant expertise which leads to the conclusion that they were also working on their own trojan project.
From 2001 till 2008 I was working for ERA IT and was mainly primarly appointed to customer projects in the private sector enterprise. There was a normal employee/employer-relationship between me and ERA IT.
ghandy/gulli.com: Obviously there’s not only one trojan but at least one for each operating system. Or how else should I imagine this? On your website there is already the separation between “MiniPanzer” and “MegaPanzer“.
Ruben Unteregger: Trojans differ from good-natured software in that they execute a damage routine along with the program. Otherwise both are “only” programs. Lets take a concrete example: A trojan consists of two components logically.
The basic program: This could be any desired program like Notepad.exe, an arcade game like “Moorhuhn”, etc.
The damage-routine: The malicious code, which is executed in the background without the knowledge of the victim.
The basic program and the damage-routine are melded into one single file. When double-clicking this file, both components are executed. The Moorhuhn-Game in the foreground, visible for the victim, and the damage-routine in the background.
A basic program like notepad, a damage-routine and the welded together product. Both are still “only” programs. Double-clicking the “Notepad.exe” on a windows-machine would open the notepad-editor, as expected. If the same “Notepad.exe” file was copied to a Linux machine and executed, Linux wouldn’t know what to do with it. The binary files on Linux, Windows etc. are differently structured. It isn’t possible to write a program or a trojan which works on every operating system. Therefore a trojan or a single program like Mozilla Firefox must be created new for each operating system.
MiniPanzer and MegaPanzer are trojan horses which were developed on Windows XP. The executability on Windows 2000 or Vista wasn’t tested, but I expect that they mostly work there as well.
MegaPanzer nestles itself in a system and tries to stay undiscovered. When the system is rebooted, MegaPanzer activates itself automatically in the background, without drawing attention to itself. The infected system is served interactively via a graphical interface. We deliberately abandoned black windows with cryptical content. The focus during the development was on the one hand the takeover of secure connections (HTTPS) like those which are used for E-Banking. On the other hand we focused on the automatic execution of an order at the target system via a script. Attacks should be made completely automatic.
MiniPanzer is the downgraded variety. He doesn’t install itself on the target system, isn’t interactive served and only offers a reduced range of functions compared to MegaPanzer.
ghandy/gulli.com: Is it a good enough protection to use a less common operating system? How can I defeat such attacks?
Ruben Unteregger: For sure Linux and OSX users are profiting from the strong predominance of Windows, because malware programmers mainly target Windows users and therefore malware for other operating systems is neglected. But you tend to overlook that besides the classical trojans, which need to be double-clicked to execute, other methods of attack also exist. There are technologies which enjoy a huge popularity and are platform-independent, which means that they work on Windows, Linux and OSX the same way. Flash, Java, Microsoft Silverlight or Acrobat Reader are PlugIns and programs with a high prevalence rate and they can be found on the established operating systems. If an error which can give the attacker the control over the system is found in a Flash-PlugIn for Windows, chances are good that this vulnerability is also available and can be exploited in the Flash-PlugIn for Linux. It is not enough to use an exotic operating system to protect yourself from malware.
To have a strong defense against malware attacks, it is recommended that you use an antivirus software, a desktop firewall and that you follow a few codes of behaviour. The automatic updates of the operating system and the virus definitions should be activated as well. If you follow these elementary rules, you’ll be on the safe side.
ghandy/gulli.com: Are there any other companys or private individuals involved besides ERA? Can you guess how many? How much does the BKA pay for this development?
Ruben Unteregger: If you use public sources, you’ll find out that as well as ERA IT the BKA itself has worked on a trojan, which was completed at the beginning of this year. Heise wrote that a study conducted by the BKA showed up which analysed “Online surveillance, Skype wiretapping and Chat participation of criminal-officers during the years 2006 till 2008.” I speculate that the BKA has increased their armoury of forensic software. The costs for this development should be under 200.000 Euros. If you go by the monthly salary of the two jobs advertised by the BKA and calculate how much they would cost over a fixed term of two years, it could fit. But a software solution isn’t simply there and works for three years. The environment in which a software must work is alive and changing continously and therefore also forces to software to adapt. Just take the change from Windows XP to Vista and in October we approach the change to Windows 7. The trojan can be detected by the antivirus software or the desktop firewall suddenly. There will be further costs.
As for other companies participating in these projects the activities of the firm DigiTask have to be mentioned. DigiTask passed explosive documents to the CCC in January 2008. They also seemed to be incapable of keeping their project secret, preventing information-leaks – in the end, it simply took a bit longer than for us.
Obviously there is a lucrative market in this area which isn’t saturated at all, because due to the quickly developing technology there are always new niches and therefore new solutions are created also from private companies. It can be expected that other people will enter this market. A company like the Gamma Group which sees itself as experts in IT Intrusion and Surveillance would have an interest to get in touch with the right people.
ghandy/gulli.com: The allegations against DigiTask are quite heavy.
Ruben Unteregger: A document about the “Bayern-Trojaner” and the use for VoIP-Technology is available at Wikileaks. A further reliable German source is the CCC. The document is also hosted by the Pirate Party. On the part of Digitask, the existence of this software was never confirmed or denied. But their silence speaks for itself.
ghandy/gulli.com: If I don’t open attachement on e-mails, like PDF documents or pictures, how else can a Bundestrojaner infect my computer?
Ruben Unteregger: The ways in which how trojanes spread are diverse. Typical download channels are the web, e-mail or filesharing. People infect their systems by downloading a file from an unknown source, from sites with doubtful reputation and content or through seduction and deception. But also just surfing on the internet, without downloading anything, can cause an infection, if the browser of the victim shows an open vulnerability and an attacker has manipulated the website which is contacted in this way. Portable media like USB memory sticks or hard-drives have gained popularity. The trojan on an infected system monitors the USB ports and checks if a connected device is a USB stick- if it is, the trojan installs itself to this device, which infects another system to which the memory stick gets connected. An old method which was established during the floppy disk era.
Another realistic scenario is the injection of the trojan into the traffic of a potencial victim. Lets take the following example: We get connected to an anonymisation-proxy-network and pretend to be a proxy server, monitoring the traffic which flows through our system. Besides a lot of data-waste there will also be data which was entered by people. At the other end of the line are also people who are waiting for this data. We can manipulate this data and foist the other person on the line this trojan, without the person noticing this. The effort to conduct such an attack is minimal. There are other ways to inject malware into data traffic. Not complicated as well and also with a good chance of success.
ghandy/gulli.com: You are planning to publish the core components of your trojan. Don’t you have to fear problems with the law? You are weakening the efficiency of the malware enormously through this publication.
Rubin Unteregger: Yes, thats the plan. The source code of this wiretapping trojan will be published in the upcoming days. There won’t be problems about copyright, because ERA IT Solutions let me keep it. The code will be published, it will get analysed as soon as the binaries got uploaded, signature patterns will be created by antivirus companies, the malware will be detected, blocked and deleted, if it tries to infect a system.
About the details, why I keep the copyright on this, I can’t offer a statement. As already mentioned I agreed to absolute silence. You can speculate now or ask the sources directly.
ghandy/gulli.com: Why a publication of the source code under GPL?
Ruben Unteregger: I’d liked to have this trojan follow the two others and the source code to be available for everybody. The source code of all tools on the homepage is available under GPL, can be downloaded, studied, modified, improved or shared. Due to the fact that everybody can look inside the code and more than one pair of eyes will be looking at it, errors, unattractiveness and defects can be discovered and imparted. Everybody who wants can study the code to understand how something works or to expand, if a function doesn’t exist.
ghandy/gulli.com: The source-code is available here. What about collaboration between antivirus companies and secret services?
Ruben Unteregger: I don’t know if there is any kind of cooperation and how it would look. But I’m sceptical if this is true. I can’t imagine that the German BND can dictate to a company like Kaspersky from Russia what they have to block and what not. Kaspersky has 1.500 employees. If a collaboration would be proven, Kaspersky could close down their company because the trust of their customers would be completely lost.
ghandy/gulli.com: Why are you showing a video about how to plunder a bank account of a phising victim?
Ruben Unteregger: You have to see the entire context. Some time ago we were told that E-Banking is safe and it would be technically impossible to cheat the security measures used there. Until a certain point, this statement was correct. SSL encrypts the traffic, One-Time-Passwords stop the user from using simple and easy to guess passwords which will never change and with a machine which sits behind a NAT-Router, filled with AV software and a desktop firewall, the system was expected to be safe. Phishing has proven the opposite and become a problem which caused millions of damage. The victims were perfectly cheated, toodled into the trap in huge numbers and the phishers got rich.
The attackers became ever more professional and used new methods like drive-by-download or pharming to reach their target. They still do this with success.
They had secured the connection between customer and E-Banking-Server with the mentioned protection measures, but other gateways were dismissed. The video demonstrates a variant of a successful attack on an E-Banking session, which steps are necessary for this and which tools are used. At this point I’d like to mention that the attack was conducted against a machine inside my own network. It was staged and no foreign system were affected.
In the first step I want to show that a takeover of an E-Banking session is possible, which is proven with this video. The purpose in the second step is to show what your options are to improve security, to protect yourself from “eavesdroppers” and snoopers in critical moments like E-Banking-Sessions, VoIP or Skype discussions. There are options and unlike the tools used for the takeover of the E-Banking session, those solutions to secure the connection will also be made available.
ghandy/gulli.com: If such methods are already used today, how will the development go on? What will the internet look like 10 years from now?
Ruben Unteregger: If I had had to answer this question ten years ago, I wouldn’t have been able to give an answer which fits today’s situation. I think that today my look into the crystal ball would shoot far away from the target as well.
But i think that the equipment of the authorities for monitoring and prosecution will be increased. It is about time that the next two, three steps of the enemy are made, that the surveillance-craze gets worked against. As soon as the wave from Germany reaches Switzerland and you continously have the feeling that somebody is looking over your shoulder… I’d like to have this the other way. Data retention, online searches, censorship, room-surveillance, movement profiles, phone-, e-mail-, SMS-surveillance… this is a remarkable and threatening armoury of surveillance and control instruments. That should open the eyes, increase the psychological strain, encourage to reflect und getting clear, in which direction this could lead and where we are now. If you could show that a few of these things can’t offer the security and protection, which is the argument with which they are “sold”, this message would arrive in the heads of everybody and the idea would be cancelled. This would be a good step in the right direction.
ghandy/gulli.com: Ruben, thank you for this absolutely interesting interview.
Interview on gulli.com : www.gulli.com