Coder of Swiss Wiretapping Trojan Speaks Out

Lars Sobiraj writes "Ruben Unteregger has worked for a long time as a software-engineer for the Swiss company ERA IT Solutions. His job there was to code malware that would invade PCs of private users, and allow the wiretapping of VoIP calls — in particular, calls made through Skype. In the German-speaking areas of the country, the Trojans were called 'Bundestrojaner' because the Swiss government was involved with their development and use. Unfortunately, Unteregger has to remain silent about the customers of the company. Last night, he published the source code of his Skype-Trojan under the GPL."

we

[Presto Vivace]

are going to be hearing a lot more about this.

GPL ?

[Pieroxy]

GPL really is a stupid option in my opinion. Most certainly the guy doesn't even own the source code since he did it under contract from an employer, so he cannot really "release" what is not his...

Maybe I'm wrong and he owns the source code though. But it will give some more ammo to the FUD that carries some big corporations that GPL is bad.

Surprised

[davidwr]

When the American/British/other-similar-country version of something similar comes out it will be on Wikileaks, without attribution.

Re:

[tecnico.hitos]

But now everyone can wiretap Skype calls. Isn't it great?

Re:GPL ?

[wild_quinine]

Most certainly the guy doesn't even own the source code since he did it under contract from an employer, so he cannot really "release" what is not his... Maybe I'm wrong and he owns the source code though.

From the article:
"There won't be problems about copyright, because ERA IT Solutions let me keep it... About the details, why I keep the copyright on this, I can't offer a statement. As already mentioned I agreed to absolute silence. You can speculate now or ask the sources directly. "

Re:GPL ?

[chrb]

About the details, why I keep the copyright on this, I can't offer a statement.

My guess would be liability. If Skype want to sue the "owner" of the trojan, the company is safe. If a "victim" of the trojan wants to sue the "owner", the company is safe. In any court case, the company can turn around and say "Ah, but we just provide advice and consultancy services. The creator and owner of the trojan code is Ruben Unteregger, and he is a completely different legal entity."

Re:GPL ?

[oldhack]

Title reads: "Coder of Swiss Wiretapping Trojan Speaks Out"

Summary reads: "Unfortunately, Unteregger has to remain silent about the customers of the company."

The parent quotes the guy: "About the details, why I keep the copyright, I can't offer a statement. As already mentioned I agreed to absolute silence."

That's why I am not commenting on this story.

Re:

[syphax]

From TFA:

Rubin Unteregger: Yes, thatÂs the plan. The source code of this wiretapping trojan will be published in the upcoming days. There won't be problems about copyright, because ERA IT Solutions let me keep it.

Re:

[Runaway1956]

I seem to hear an assumption that the laws governing his contracts are compatible with United States corporate views concerning contracts. Maybe this code really IS his, by law?

Re:

[element-o.p.]

GPL really is a stupid option in my opinion...it will give some more ammo to the FUD that carries some big corporations that GPL is bad.

Assuming the source code is his to give away (certainly not a given!), I have to disagree.

1) GPL is perfect for this, since it essentially says, look -- take this code and modify it, redistribute it, analyze it, re-publish it...do what you want with it, as long as you allow this same freedom to anyone else who gets the software. This is the whole reason the GPL exists in the first place! In this case, this is good because it allows others to take the code apart, figure out what makes it tick and come

Re:

[element-o.p.]

I guess I should RTFA -- there are posts below mine that show that he does, in fact, own the copyright to the software. In which case, if the company hires someone to write software and the author of that software then posts it under the GPL (or other FOSS license), then how does that possibly add ammo to the FUD argument about the GPL?

Re:

[improfane]

Logical fallacy? It COULD be used for good but think: Wiretapping is invasive by design, you're trying to tap into listening to a communication you probably do not have the invitation to. The few legitimate and reasonable purposes for wiretapping software I can think of are:

• personal recordings of calls
• legal enforcement/national security (haha)
• monitor your children

Do you think that most users of this will be doing these things?

A hammer may be used for murder but you generally use it for hammering nails. Thi

Re:

[element-o.p.]

You missed my point. I'm not arguing whether or not this particular piece of software is good or evil; I'm arguing whether or not someone releasing under the GPL a piece of software that is most likely to be used for ill intent makes the GPL itself good or evil.

The argument I am trying to counter goes like this:
1) This software is evil.
2) This software was released under the GPL.
3) Therefore, the GPL is evil.

This is the argument I was attacking, and it is indeed a logical fallacy. The GPL does

Yeah!

[improfane]

I would have modded you up in your original post but chose to reply because of another reply in the thread I think. I actually agree but was trying to strengthen your analogy.

Re:

[element-o.p.]

It never hurts to flesh out and clarify an argument. That's one of the reasons I love /. -- I get critical analysis of my thinking, which I greatly enjoy (well,usually :). "Steel sharpens steel," and all that. Thanks for showing me where I can do better!

I should have said

[improfane]

I should have said I was commenting on wiretapping itself, not GPL. GPL's intended purpose is to help people and for freedom like a car is for transport. :-) This is why I like Slashdot, there are many level headed people!

Re:

[CrimsonAvenger]

2)Would anyone in their right mind say that, because someone somewhere has used a car to commit a crime (drunk driving? getaway car in a robbery? ran over someone who pissed them off?) that therefore all cars are inherently evil? Of course not, so why would you say that about software?

Of course, people say that about guns all the time. So I'm assuming that the same sort of people would say the same sort of thing about a Trojan...

Re:

[element-o.p.]

Yeah, I didn't really want to go there. Although I think the principle is as true for guns and software as it is for cars, a lot of people feel that guns are only used for killing, therefore they are inherently evil[1]. Consequently, if I had used guns rather cars in my analogy, I would have potentially harmed my argument.

[1] I believe that this conclusion is false, too. A gun is designed to kill, but I disagree that this is always evil. I would not hesitate for a single second to kill someone who in

Re:

[KC7JHO]

A gun is designed to kill,

Actually, it can be said that a gun is designed to push a piece of material in a (mostly) straight line at a very high speed. While this could just as easily be target practice, competition shooting, etc. the intent to use it to kill (a person, animal, etc.) is solely at the discretion of the shooter.

The same applies to this software, it is designed to record the Skype conversation. This could be used to archive several machines / users to a central server (yes some source code would need changed, but i

Re:

[element-o.p.]

Point taken.

CrimsonAvenger also raised a similar objection, pointing out that guns are used far more often for target practice than for killing, which might also be true (historically, including hunting for food? Maybe; I don't know for sure). It's certainly true for me, at least. I own several guns but I have never shot a single living thing with any of them (although I have shot a grouse -- once -- with a bow, but that's slightly off-topic).

Re:

[CrimsonAvenger]

A gun is designed to kill,

While this is certainly true, I should point out that more guns in the USA are used for target shooting than for killing.

Yeah, I didn't really want to go there.

Understand completely. I was just pointing out that there exist a large group of people who believe that tools can be evil. And those people would be delighted by the chance to name yet another tool to be evil incarnate.

IMO, men can be evil, and can use tools to commit evil acts. But the tools, in and of themselves, are

Re:

[Mr. Slippery]

Most certainly the guy doesn't even own the source code since he did it under contract from an employer, so he cannot really "release" what is not his...

But of course, in order to claim copyright on the code, they'd have to admit responsiblity.

Re:

[Cosmostrator]

You have it all wrong, GPL is a brilliant option. Let's say that someone decides to install this software on your computer to listen in on your conversations. Since they are distibuting sofware that is under the GPL they have to make the source code available to you. To top it off all of the changes that they made to the code are also available to you under the GPL. Those script kiddies won't even know what hit them.

Only a matter of time

[eviloverlordx]

I don't think that a reasonably informed person could expect that this sort of thing could be kept bottled up for very long.

Re:

[Anonymous Cowar]

This is government we're talking about. "Reasonably Informed" and "Politician"/"Government Bureaucrat" are mutually exclusive. Anywho, if the swiss politicians are anything like we have stateside, the trojan that they voted for doesn't need to stay secret forever, just until after the next election. That's the problem with politics, very few successful politicians thing or act long term because thinking long term means making painful decisions that will most likely get them voted out of office for the next

Re:

[fuzzyfuzzyfungus]

It's not at all clear to me that the plan really required keeping it bottled up. You don't really need secrecy if you have power(though secrecy is undoubtedly gravy if you can get it).

There are precious few, if any, countries where authorities have had much trouble passing laws giving themselves broad "security" powers. With those in place, they don't really need to keep things under wraps, what are you going to do about it?

Re:

[AHuxley]

It penetrated windows/skype for a set period, as Apple and Linux move on and MS rushed to catch up, the Skype torjan would become exposed or useless.
This product did its work for governments at a set time in the past.
The interesting part was hints at a Magic Lantern option
http://en.wikipedia.org/wiki/Magic_Lantern_(software) [wikipedia.org]
The real fun is what the German gov did with this around the world via this software in the past.
The German "CIA" (BND, hi guys) did get caught with a false flag operation Kosovo,

Government Support Malware... Great...

[LitelySalted]

Government supported malware...

I guess he's trying to vindicate himself by publishing the source code, but the reality is that there is a risk some idiot out there is going to misuse this information.

Seriously, do we want open source malware?

Re:Government Support Malware... Great...

[Kokuyo]

but the reality is that there is a risk some idiot out there is going to misuse this information.

SOME idiot? I'm most worried about the government itself, thank you.

Re:

[Archangel Michael]

You are the government (at least you're supposed to be) here in the US, so if you're afraid of the government, you're afraid of yourself. How is that for recursive fear? :-D

 

Re:

[hitnrunrambler]

You are the government (at least you're supposed to be) here in the US, so if you're afraid of the government, you're afraid of yourself. How is that for recursive fear? :-D

Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.

Cool... having a sig that highlights why you should be "afraid of yourself" while commenting on the recursive nature of such fear turns it from being a simple recursion into a complex fractal pattern.

Re:

[element-o.p.]

Your signature, in light of your post, is rather interesting. And I won't even go into the differences between a pure democracy and a representative democracy right now.

Re:Government Support Malware... Great...

[WindowlessView]

I'm most worried about the government itself, thank you.

Well thankfully this was the Swiss government. The US would never use some of the billions poured into the new "Cyberwar" to do exactly the same thing. We have laws and high government officials always get brought to justice over things like this...

Re:

[Kokuyo]

Albeit late, thanks to Inglorious Basterds, I'd like to mention that I AM Swiss, you insensitive clod! ;)

Re:

[Dr_Ken]

He might be feeling guilt about what he did and is trying to absolve himself. And I agree releasing open source mal ware code isn't especially helpful either.

Re:

[gnick]

...releasing open source mal ware code isn't especially helpful either.

Open sourcing it is fine (assuming he's allowed to do so - I know I'd be in trouble if I open sourced the code I'm paid to write) - Even then there's the Wikileaks option if GPL (or whatever) isn't practical. But, both as a courtesy, an aggressive encouragement to improve, and an effort to minimize damage, it should be politely delivered to Skype first. Skype should also be made aware of your intentions, in say 3-6 months, of sharing it with the world.

Re:Government Support Malware... Great...

[AndrewNeo]

Yes, we do, for the same reason we want other software to be open source.. security. If we can see into a program's source, we can identify potential security issues. By releasing the trojan's source code, Skype can fix their software.

Re:Government Support Malware... Great...

[AlXtreme]

By releasing the trojan's source code, Skype can fix their software.

I don't think this will help Skype a lot, at best they could attempt to stop this particular trojan.

We're talking about a trojan that has complete access to the local machine. At some point in the software Skype has to decrypt the audio transmission and send the data via the OS's audio API, and that is where this trojan will intercept the data. Skype now knows how the trojan intercepts the data, and at best they could frustrate it in a new version (which would work until the trojan is updated).

The big question is if Skype is still secure without having to gain access to the local machine (ie. can law enforcement decrypt Skype traffic).

Re:

[Anonymous Coward]

The big question is if Skype was ever secure. They've sure got something they're trying to hide, with all the anti-debugging measures they've built in to their software.

Horse already bolted

[improfane]

We're talking about a trojan that has complete access to the local machine.

If the machine is compromised, nothing you do really matters. It's closing the barn doors after the horse has bolted; fixing this is silly. It's just like this 'exploit' [msdn.com].

You could just record whatever comes from stereo mix? Why bother decrypting anything?

Re:

[fulldecent]

it's secure, except for in china where they use the NSAKEY

Re:

[mxs]

And the big answer is "if you assume it is, you are an idiot". Use something you can audit.

Re:

[Hurricane78]

The point is, that if he had not opened the source, the same would happen, but without a chance for Skype or us!

That's the thing! It's not as if not opening the source would have prevented anything.

Re:

[Runaway1956]

I see two possibilities. Skype is using buggy code which is easily exploitable, in which case, everyone should know it. The only reasonable response is to abandon Skype.

OR, Skype has now learned of a flaw in otherwise reliable software, in which case they patch it, and go on.

If the Linux and the Unix kernels have survived all these years with the code readily accessible by anyone who wants it, I see no reason to protect Skype from an open sourced exploit. Skype would be better off if they open sourced th

Re:

[itzfritz]

It's not exploiting a bug in Skype's software; it just inserts a hook into Windows' audio api and records whatever runs through it when Skype is running.

Re:

[gad_zuki!]

I doubt skype can do anything. This trojan runs locally with admin rights. Somewhere in there skype needs to put the encryption key in memory. The trojan probably just grabs it and then decrypts the VOIP packets. The solution here is to not run trojans.

Re:

[EdIII]

The solution here is to not run trojans.

I think the solution is not the run Skype. Skype is shit, but it would probably be better to use a standalone piece of hardware to run it. I use hardware SIP phones to make all my phone calls with their packets being encrypted between them and the IP-PBX. A machine gets infected with a trojan the worst it can do is possibly capture those encrypted packets. There is no access to the encryption key anywhere in that particular machine.

Ideally, Skype should not be any

Re:

[TooMuchToDo]

Can you provide info on what hardware IP phones you use? We have a bunch of Cisco IP phones, and I'm in the process of deploying another 100 or so. I would very much like to do encryption of both the SIP and the voice data stream at the phone's level.

Re:

[EdIII]

I don't know what phones you are using, but Cisco more than likely supports SRTP on the model you are using. They helped create it in the first place. I am using Aastra 9480i's and 9143i's. They support SRTP. You must enable it in your configuration files (defaults to off) and can specify a preferred state (will downgrade to RTP) or an only state in which non-SRTP capable calls will fail.

As for IP-PBX, I mostly use Asterisk. You can add SRTP support to Asterisk and there are resources on the web that h

Seriously, do we want open source malware?

[Presto Vivace]

I wondered the same thing.

Re:

[fuzzyfuzzyfungus]

I think we do. If the malware is a "feds only" tool, there will be pressure, overt or covert, on security vendors to make their products look the other way when it shows up. That would be bad.

If every tom, dick, harry, and script kiddie out there has a dozen variants, security vendors will have to treat it as a threat, and hopefully end up mitigating the effectiveness of the fed trojan.

Re:

[TooMuchToDo]

As someone who works with several ISP co-ops, I'd love to get a snort signature that I could provide to them and say "If this flies across the network, you should be notifying your user immediately", while also having snort jam it using RST packets.

Re:

[tsm_sf]

Seriously, do we want open source malware?

The 2nd amendment fans will clue up any minute here and fill you in.

Re:

[gad_zuki!]

>Government supported malware...

I dont see a problem with this as long as it requires a warrant, like how the US uses programs like CIPAV. [computerworld.com]

Re:

[element-o.p.]

Well...it makes it easier for the A/V companies to write a detection algorithm, since they don't have to reverse engineer the binary now.

Not Exactly Rocket Science

[cromar]

This isn't rocket science or brain surgery. A trojan that sniffs your internet connections' packets and allows interested parties to gain access to the packets sent/received by Skype or any other application could be written mostly with open source libraries already available. It would take some bit of know-how, but nothing extremely specialized. Heck, you could even just stream the user's microphone audio data out and bypass Skype entirely. You could connect directly to the user's web cam - I think the

Re:

[Eil]

but the reality is that there is a risk some idiot out there is going to misuse this information.

There are a lot of idiots out there. There is a lot of information out there. I dare you to try to keep them separate.

Seriously, do we want open source malware?

Well, why not?

1. Having the malware open source means that everyone can study it. Not just script kiddies but also security researchers, software developers, and students.

2. If the malware exposes any vulnerabilities, they can be fixed a lot more readily

Re:

[hawleyal]

Seriously, do we want open source malware?

Yes, yes we do.

Open source malware is important for the security of the targeted systems.

If unnamed corporate software monopoly discovers hole via malware, and doesn't release a notification (let alone patch), everyone else can discover that hole as well.

If all malware writers were so inclined to help the public protect against their malware.

Not helpful?

[weirdcrashingnoises]

Isn't the idea of full disclosure meant to help security by bringing to light flaws in ...whatever? thus forcing companies/governments to deal the the problem rather than simply ignore them. Altho in this case a government (Swiss) is playing on one side, and a company (Skype) is on the other.

Now, Would A Patriot Please Post

[Anonymous Coward]

the N.S.A.'s [google.com] code for intercepting EVERYTHING .

Yours Seditiously,
Kilgore Trout

Re:

[muckracer]

dd if=/dev/all_major_inter_slash_national_pipes of=/dev/dcs_in_maryland | grep -f echelon_keywords.txt > mail -s FARKINGCOMMIES! analyst14398@nsa.gov

You're welcome! :-)

Re:

[TheRaven64]

I suspect you mean tee, not dd. The dd command won't output anything to the stdout so grep never receives any input.

Although, come to think of it, that would explain why the wiretapping program hasn't produced much by way of results...

Call me naive...

[Zantac69]

...but isnt this is a little irresponsible? Its not as irresponsible as handing a loaded Glock to a 17 year old that as raised on Half-Life, Doom, Quake, etc...but still. You are giving basically ready made code to cryp kiddies to cut, paste, and be stupid with. True black hats probably dont need it (or already had it), but that kind of makes it too easy for the wannabes. I can see why code would be released so that software makers can IMPROVE and and lock down their code to prevent snooping like this..

Re:Call me naive...

[jimicus]

You're naive.

I'm not going to go searching on Google now but there are already loads of malware toolkits out there being used by script kiddies, some of which are rather easier to use than "First learn to code in C". This doesn't change anything.

Re:

[MikeBabcock]

For example to supplement the parent, bo2k isn't exactly hard to find. They have a really huge website with a lot of details on how to use it.

Re:Call me naive...

[mcgrew]

It's odd that even though I'm 57 years old, I have a far higher opinion of youth than you seem to have. Also odd that you think Doom or Quake would turn teens into killers; what turns teens into killers is mental illness, bad upbringing, or high school bullies. And most of the teens who have these unfortunate circumstances kill themselves, not others.

Most kids I've known from the time I was a teen to now were good kids. Some teenagers I've known were more responsible than a lot of adults I've known. Some were even more responsible than their own parents.

Re:

[Anonymous Coward]

of course irresponsibly feeding your children a steady diet of violent entertainment might just qualify as a symptom of "bad upbringing". Results vary.

Re:

[xenobyte]

Actually it can't qualify as bad upbringing in itself - unless we're moving into the couch potato vs. physically active schism. Feeding children violent entertainment isn't any different than feeding them bad quiz and game shows. It might actually be better if it's creatively done violence as the game show diet is a proven intelligence killer.

Re:

[hitnrunrambler]

You're looking at if from a perspective that can be generalized "security through obscurity"; at it's core is a hope that limiting the general knowledge of a subject will prevent "bad people" from interfering. Again generalizing the motto could be "The less people know the more everyone is safe."

The weakness of this in practical terms is that people discover things and motivated people can be very creative. If one person or team can accomplish something there is no reason to assume

Criminals All

[bloobamator]

Both he and the company he works for are criminals. Allegedly.

Bundestrojaner = Federal Trojan

[Anonymous Coward]

In case anyone was curious, "Bundestrojaner" means "Federal Trojan" (if I'm remembering right from my highschool German classes).

Unfortunately it was done the easy way

[mrjb]

Even though the source of the trojan is made GPL, we won't see Skype support in Pidgin anytime soon; rather than decoding the audio stream, the code intercepts the already-decoded audio. That is, the trojan author did not reverse- engineer any parts of the Skype protocol. Too bad- unfortunately this means I'll still need to be running multiple messenging clients. Fortunately my Skype contact list is rather short.

Why the heck

[JustNiz]

Why haven't the police already busted down the door of ERA IT Solutions and taken all their servers away? Why aren't there tons of class action lawsuits against ERA IT from people that got infected and spied on?

Re:

[witherstaff]

It could be that like the ACLU warantless wiretapping [slashdot.org]case that was thrown out by the supreme court, it would require people that could prove they were actually spied upon. Of course just knowing you were spied upon would be a state secret so it's a chicken/egg sort of thing. Not sure if the Swiss have such a screwy legal system as the US but it wouldn't surprise me if it's a government covering its own ass.

Re:

[KC7JHO]

Once and for all... Rabbit/Egg/Chicken ... just so you know and all... ;)

Let me provide some insight...

[denzacar]

Why haven't the police already busted down the door of Heckler & Koch and taken all their machines away? Why aren't there tons of class action lawsuits against Heckler & Koch from people that got shot and killed?

Oh riiiight... They don't kill people. Their customers to kill people. Their major customers being governments.
They are just a private company, providing a service for a friendly foreign government.

Oh and...
http://en.wikipedia.org/wiki/Class_action_lawsuit#Switzerland [wikipedia.org]

Switzerland

Swiss law does not allow for any form of class action. When the government proposed a new federal code of civil procedure in 2006, replacing the cantonal codes of civil procedure, it rejected the introduction of class actions, arguing that:

[It] is alien to European legal thought to allow somebody to exercise rights on the behalf of a large number of people if these do not participate as parties in the action. ... Moreover, the class action is controversial even in its country of origin, the U.S., because it can result in significant procedural problems. ... Finally, the class action can be openly or discretely abused. The sums sued for are usually enormous, so that the respondent can be forced to concede, if they do not want to face sudden huge indebtness and insolvency (so-called legal blackmail).

Dammit

[denzacar]

Meant to say:

Their customers use their product to kill people.

Re:

[Hurricane78]

Haven't you read the summary? It was ordered by the government! They payed for it. The Bundestrojaner was meant to be used in at least Germany, as a tool for the federal intelligence service!

Of course the police that nothing. It's their own project!

Re:

[JustNiz]

Just because one dept. of the governmnent ordered it does'nt make it legal.
The police should enforce the law, even if its a part of the government that broke it.

Doesn't

[Anonymous Coward]

Vista support DRM on the hardware level?? Could this not be used to encrypt any communications to and from your machine? Isn't it illegal in the US to try to decrypt such messages under the DCMA?

Re:

[Stupendoussteve]

Last I checked Switzerland was a nation independent of the United States and thus not subject to the DMCA and other such nonsense.

WINDOWS ONLY?

[webweave]

YES, Looks like it only works on windows, I wish these articles would start by listing what is vulnerable. Of course anyone who knows anything about security knows windows is totally broken as far a security goes and it is way too big of a target for future malware writers so best to just avoid it if you are building systems where privacy in important. I'd tell you what I do but I'm sworn to secrecy.

"Bundestrojaner" == german, not swiss

[kju]

"Bundestrojaner" is the nickname in germany for the trojan intended to do a "online (house) search" under german law. The article also mentions that. Quote: "You say that while you worked for ERA IT Solutions under consignment of the German Federal Police (Bundeskriminalamt/BKA) you were entrusted with the development of a trojan". Please note that the guy in question does not admit that he worked on the "Bundestrojaner", but mentions that the BKA employed own people to do that. The article reports that he

Re:

[Chrigi]

Exactly what I wanted to post just now. The Bundestrojaner has nothing to do with Switzerland! But still I'm a bit confused... I live in Switzerland and read the Newspapers and normally watch the News but that a Company developed a "Skype Trojan" for the government completely slipped through my fingers apparently O.o That sucks pretty hard! Not only do we have a stupid DNS Block for CP sites (at least Germany had a chance to fight against it -.-) but now this? In Soviet Switzerland...

Who is the user anyway

[CAPSLOCK2000]

If such a trojan is installed on a computer, who is the user? The one installing the trojan or the victim. Although the victim may not know it, he is obviously using the software.
According to the GPL he has a right to the code :)

Re:

[davidwr]

-1 SHOUTING
+1 momentofsilence

He's doing it wrong.

+0 Wailsofmourning ???