Detect Alleged German State-Sponsored Trojan On Your PC - gHacks Tech News

Detect Alleged German State-Sponsored Trojan On Your PC

I have monitored news about the alleged German state-sponsored trojan closely ever since the German Chaos Computer Club posted information about it online. While there is not a definitive proof that it is indeed malware designed and operated by German police forces, it is definitely something that computer users need to be aware of.

I do not want to get into too many details at this point in time and suggest you read the long post over at the club's website to get a better understanding of what it can and cannot do. A binary version of the program has been uploaded to the club's website as well.

Only that much. The so called Bundestrojaner (federal trojan) works in its detected form on 32-bit Windows operating systems. The trojan targets software used for communication. This includes Skype, ICQ or the MSN Messenger but also web browsers. It acts as a keylogger and contains functionality to download and execute code from remote locations. It can furthermore take screenshots, record audio and supports remote updating.

The core issue here is not that such a trojan exists as it was openly discussed in Germany, but that the trojan is capable of going beyond what the German Federal Constitutional Court allowed police forces to do with it.

While it appears to be more of a local German issue, it is not completely out of the question that the trojan was planted on computer systems of foreign nationals.

Security company Steganos has released a first version of the - German only - Anti-Bundestrojaner, a software to detect the trojan on 32-bit Windows systems. The software is free and portable, and can be downloaded from the Steganos website with a click on the Jetzt Herunterladen button. Update: The download is no longer available.

All that you need to do is to run the program and click on the Analyse starten... button in the interface. This starts the system scan.

steganos anti bundestrojaner

The security software scans the system and will display findings in the interface. It will scan the system for drivers and libraries, and try to make a connection to the remote servers of the trojan. A red icon in front of a line followed by the word Kritisch (critical) means that it has detected a file belonging to the trojan.

If that is the case a popup will be displayed prompting the user to either selected Ja (yes) to delete the identified files or Nein (no) to leave them on the system.

If you select yes you are asked to reboot the system after the deletion completes. Select ja to reboot right away or nein to reboot at a later time.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Paul(us) said on October 10, 2011 at 3:43 pm
    Reply

    Good articel, I am woundering when the first German sniffer is found in a outher country.

  2. Anonymous said on October 10, 2011 at 5:06 pm
    Reply

    http://www.imagebam.com/image/5392d8153363428%5D%5BIMG%5Dhttp://thumbnails53.imagebam.com/15337/5392d8153363428.jpg

    This is the one that shows if it *doesn’t* find anything – it translates as “There is no evidence for the existence of the Federal Trojan has been detected on your system!”

    1. Martin Brinkmann said on October 10, 2011 at 5:45 pm
      Reply

      Thanks for posting, good addition.

  3. Dean said on October 10, 2011 at 6:06 pm
    Reply

    I take it there is no way to edit past comments?

    Just realised I put my name in the website bit and it’s linking to someone who isn’t me! lol

    1. Martin Brinkmann said on October 10, 2011 at 6:08 pm
      Reply

      No editing, what’s your website?

  4. Dean said on October 10, 2011 at 6:09 pm
    Reply

    Ah right – ain’t got one; just must have got the fields mixed up and put Dean in the website (Looks like it’s defaulted that to .co.uk).

    Cheers!

  5. Berttie said on October 10, 2011 at 10:50 pm
    Reply

    So the Bundestrojaner is 32 bit only? Memo to Deutsch gauner (crooks): Use 64-bit Windows (or, presumably, Linux or Mac OS X).

    1. Martin Brinkmann said on October 10, 2011 at 11:56 pm
      Reply

      Well the version that was discovered – or leaked – was 32-bit only.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.