"It's quite hard to intercept Skype calls at the operator level because it's encrypted," said Mikko Hypponen [cq], chief research officer for the Finnish security company F-Secure. "It's fairly easy if it [the interception program] is running on the computer itself."
The club reported other disturbing findings about Quellen-TKU's security: although the data transmitted by the program is encrypted, the commands transmitted to control the program are not. Those commands are also not authenticated to prove the directions are coming from an authorized source, making it possible for an attacker to impersonate law enforcement.
"Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan and upload fake data," according to the Chaos Computer Club's writeup. "It is even conceivable that the law enforcement agencies' IT infrastructure could be attacked through this channel."
The Chaos Computer Club provided samples to F-Secure, which found Quellen-TKU also had keylogging capabilities to intercept data entered into applications such as Firefox, and the instant messaging programs MSN Messenger and ICQ.
Bizarrely, Quellen-TKU has a hidden reference to the movie Stars Wars, F-Secure found. A text string that is used to start data transmission reads:"C3PO-r2d2-POE." F-Secure decided to name the program "Backdoor:W32/R2D2.A."
"I can't confirm the source who wrote this trojan, but I have no reason to doubt what CCC [Chaos Computer Club] is saying," Hypponen said.
Now that is has been detected, it's unlikely Quellen-TKU will be of any use now to law enforcement. F-Secure said it had added a signature to its database to detect the program, and other major antivirus vendors such as Symantec and McAfee have as well.
But many antivirus programs have other methods for detecting malicious software. Hypponen said F-Secure's software -- while not knowing exactly what Quellen-TKU was -- would have blocked it once it executed one a computer as far back as a year ago because the program meddled with low-level parts of a computer's operating system. Other security vendors may also have been capable of stopping it as well, he said.
Even if law enforcement had been recently using Quellen-TKU to monitor someone planning to do violence, Hypponen said the company decided to continue to detect it. F-Secure has a policy that it will not modify its products for law enforcement within respect of European Union laws.
Sign up for Computerworld eNewsletters.