Bavarian Government Gets Up Close and Personal

Posted on July 7, 2008 - 17:05 by lmallek

The German state of Bavaria has approved laws that "allow the police to plant spyware": on the computers of suspected terrorists. While German federal laws restrict the government to infecting computers with email, Bavarian laws allow police to enter a suspect's home to physically infect the machine. According to The Register, Bavarian interior minister Joachim Herrmann "gave short shrift to [privacy] objections, stating that Bavaria is leading the field in 'internal security' in becoming the first German state to approve the plan."

This step taken by the Bavarian government "counters a ruling": earlier this year by Judge Hans-Juergen Papier in North Rhine-Westphalia. He opined that under regular circumstances spying on individuals was unconstitutional, and that permission of a judge would be required prior to implementing this type of surveillance during extreme situations.

In 2007, the internet was talking, though not over VOIP, about the Bavarian government looking to "monitor and record": Skype phone calls. Documents leaked through Wikileaks showed the thrifty Bavarian government haggling to get a better price on the products needed to invade their citizen's computers.

Trojan Horses Nip at Apple Vulnerabilities

Posted on June 23, 2008 - 16:05 by lmallek

Software company Intego found this "Mac Trojan": masquerading as a poker game. The Trojan actually transmits the user's name, password, and IP address to an external server which it acquires through clever social engineering:

bq. "A corrupt preference file has been detected and must be repaired." Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.

"Computer World": wrote on Friday that SecureMac reported finding "another Trojan": circulating in the wild. "Its researchers had found a Trojan horse, dubbed 'AppleScript.THT,' being distributed from a hacker-operated site where discussions of spreading the malware via iChat, Apple's instant messaging and video chat software, were also taking place." Updating that "warning today":, SecureMac shared that the source code for the Trojan has been distributed, which increases the likelihood of derivative Trojans appearing soon. They write:

bq. "The Trojan is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size). The user must download and open the Trojan horse in order to become infected. Once the Trojan horse is running, it will move itself into the /Library/Caches/ folder, and add itself to the System Login Items... Once installed, the Trojan horse turns on File Sharing, Web Sharing, and Remote Login. If the filename of the Trojan horse has not been changed, it can be located in the /Library/Caches folder under the name"

Sandi, blogging at "Spyware Sucks":, opines that Trojans like this demonstrate that social engineering transcends computer platforms. She emphasizes that sharing information about badware can help to build and reinforce a level of user awareness and suspicion about entering personal information while downloading software (and ideally when deciding to download software in the first place). Sandi also comments on complaints that these Trojans were discovered by companies developing Apple security products.

While there may be a financial benefit to those companies, the _goal_ of the security community is to maintain computers as free of badware as possible, and sharing information about risks with professionals and users-at-large focuses attention on problems so that they can be solved or avoided as efficiently as possible.

Crimeware Kit Vulnerable to Hacking

Posted on June 19, 2008 - 15:45 by lmallek

Dancho Danchev wrote about a vulnerability "found in Zeus":, a crimeware kit circulating widely. Danchev explains:

bq. The vulnerability allows the injection of logins and passwords within any misconfigured web interface, due to the way in which Zeus is processing php scripts (web shells and backdoors) from the directory in which it stores the stolen data. Ironically, 'Zeus users are advised to take care of their directory permissions, and forbid the execution of scripts from the folder holding all the encrypted stolen information'.

bq. "The implications of this flaw are huge, since, what used to be the practice of hijacking someone's misconfigured botnet a couple of years ago, is today's hijacking of the malware campaigns's command and control interface, which on the majority of occasions is left accessible to everyone - including independent researchers and the security community.

The Zeus Trojan kit is "available on the market": for around $700, and Danchev writes in a previous post that the Zeus kit has been used more than 150 times and attacks around 4,000 computers per day. Similar to popular software receiving unwanted attention from hackers, the prominence of this badware led to increased attention from the security community, leading to the discovery of this vulnerability.

In an additional twist, the "Russian Business Network":, which has been associated with creation and distribution of the Zeus kit, is actively working to protect their intellectual property from security companies and their customers. RBN has threatened to "sue security companies": for blacklisting their products.

The RBN even "includes an EULA": when they sell the crimeware kit:

bq. The help section of the latest version of the Zeus malware states that the client has no right to distribute Zeus in any business or commercial purpose not connected to the initial sale, cannot examine the source code of the product, has no right to use the product to control other botnets, and cannot send the product to anti-virus companies.

The RBN threatens to release information on their customers if they violate this agreement and to require customers to purchase future updates. Would they pursue lawsuits against bot herders who modify their software kit without permission?

"Danchev asks": what would happen if the security community began unethically pen-testing the Zeus network in order to estimate the size of the botnet. Would the RBN seek to protect its intellectual property, thereby claiming ownership of the Russian Business Network infrastructure (botnet) in order to sue trespassing parties? As crimeware becomes more commercialized, the badware authors have more invested in protecting their investments in intellectual property and infrastructure. It will be interesting to see how the current legal structure can be applied to regulate the development of the malware industry.