Two weeks later things have changed considerable. Several German states acknowledged that the backdoor was used by German police forces to spy on communication software installed on computers. According to the news spyware programs were in use since 2009.

The initial analysis of the contents was far from complete. Security experts at F-Secure and Kaspersky posted the results of their analysis recently which offer a more detailed view of the malware’s capabilities.

Kaspersky discovered that the trojan installer supports both 32-bit and 64-bit Windows operating systems. Experts previously assumed that only 32-bit systems could be targeted by it.

The second finding is a list of applications that the trojan has been designed to monitor. This list is larger than the initial list that the Chaos Computer Club published. A total of 15 applications are listed, including Firefox, Explorer, Opera, Skype, Microsoft Messenger, ICQ and Yahoo Messenger.

The trojan injects code into those processes:

Code injection into target processes is carried out by the dropper, two user-mode components and also a 32 bit kernel driver with extended functionality compared to the version previously analyzed, which only provided an interface for registry and file system modifications. This new driver starts an additional thread that constantly loops over the current list of running processes and injects a DLL into each whose image name matches an entry from the following list:

The 64-bit Kernel driver is limited in its functionality compared to the 32-bit component.

Contrary to the 32 bit version, the 64 bit driver does not contain any process infection functionality but only provides a rudimentary privilege escalation interface through file system and registry access. Similar to its brother, it creates a device and implements a basic protocol for communicating with user-mode applications.

Kaspersky identified the a 1024 bit RSA certificate issued by Goose Cert on April 11, 2010.

The F-Secure blog has more information on how the backdoor was installed on target systems.

In one case, the trojan was installed on a suspect’s laptop while he was passing through customs & immigration at the Munich International airport.

The existence of a 64-bit component, the monitoring of additional processes and information on how the trojan was installed on systems confirms that there has been more to that state sponsored trojan than initially assumed. The majority of security software available should detect the backdoor by now.

Some of the key elements of both documents were the following:

The installation of the Skype trojan could be by email or by the police in the apartment.
The software could be updated, extended and removed without leaving traces on the system.
Data would be send through a computer located outside German jurisdiction.
Access to internal settings of the Skype client and access to SSL-encrypted websites.

The two zipped PDF documents contain information about the company that designed the Trojan, the costs of the Trojan and the federal agencies. The second document contains detailed information about the technique used to eavesdrop on communications, especially what the so called Skype Capture Unit does.

The Skype Capture Unit is installed on the client’s system, capable of recording voice and chat among other things, and directs the data to a recording server. A Recording proxy was not part of the offer but would be possible to install as well. Members of the police would be able to access the data on the recording server in real time.

The document further mentioned that Skype Capture Units were only available for Windows XP or Windows 2000 at the moment.

Besides offering the Skype Trojan Digitalk also offered Man in the Middle attacks on SSL encrypted web traffic if the client would be using Firefox or Internet Explorer.

The costs for the operations are the following:

Skype Capture Unit €3500 per month
Installation of Unit €2500 once
Man in the Middle Attack €2500 per month

You are currently safe if you use Windows Vista, Linux or have a Mac. You are safe with Opera or Safari.

The question that a lot of people in Germany are currently asking are about the low costs of the software. Some see it as an indication that there had to be an agreement to use those units on a large scale.

Before everyone else says: Yeah, that’s Bavaria, part of Germany. I live in XXX, why should I care ? I would like to point out that other countries are most likely using techniques like that as well. Or, they simply ask Skype for assistance which is possible if you read the Skype Privacy Statement:

Please be informed that, notwithstanding the abovementioned, in the event of a designated authority lawfully requesting Skype or Skype’s local partner to retain and provide personal data, communications content and/or traffic data, Skype and/or its local partner will provide all reasonable assistance and information to fulfil this request.