Tillmann Werner, a Kaspersky Lab Expert, reported a trojan, a big brother of another one reported by German Chaos Computer Club. The tojan is supposedly written for the German Police, by Digitask, to monitor VoIP and IM communication on a suspect’s computer. WikiLeaks had earlier reported the usage of trojans by German States. A few states had even defended the use of a “Federal Trojan”.

What it does

The trojan monitors a host of applications on the victim’s computer. The data theft is found to occur from several widely used applications including Skype, Firefox, MSN messenger, Opera and Yahoo messenger. The full list of applications targeted is

• explorer.exe
• firefox.exe
• icqlite.exe
• lowratevoip.exe
• msnmsgr.exe
• opera.exe
• paltalk.exe
• simplite-icq-aim.exe
• simppro.exe
• sipgatexlite.exe
• skype.exe
• skypepm.exe
• voipbuster.exe
• x-lite.exe
• yahoomessenger.exe

The malware is found to be injected using a dropper, a fake driver, and a couple of user-mode-applications. The fake driver part is quite interesting as Windows does not allow installation of drivers signed by unknown party. The driver in this case is signed with cerificate from fictious “CA Goose Cert”. So it must be assumed that the attackers managed to inject the certificate into windows certificate library. It is unclear how this was made possibel.

An attacker capable of modifying windows certificates library can easily fool an anti-virus software. Currently Kaspersky has managed to detect the trojen and identify the dropper.

It is quite possible that state sponsored malware is being used world wide. There is no use complaining when you can hardly detect the injustice categorically. It might be a bitter realization. Well…gulp it.