State Sponsored Trojan Active

Thursday, October 20, 2011 @ 12:10 PM gHale

A new version of a Trojan written for the German government by Digitask is out looking for takers.

This Trojan supports 64-bit versions of Windows and is able to monitor many more applications, said virus analysts at Kaspersky Labs. The “big brother” of the Trojan analyzed by the Chaos Computer Club (CCC) consists of five files. They were in an installation program by the name of scuinst.exe (Skype CaptureUnit Installer), detected by F-Secure.

ICS Threat Brewing; Target Unclear
Old Becomes New: DLL Loading is Back
Weak Sites Victimize Visitors
Beware of Printers Spreading Malware

In addition to Skype, the list of processes monitored by the Trojan includes other voice over IP applications, browsers, and email and instant messaging clients. The full list is:
• explorer.exe
• firefox.exe
• icqlite.exe
• lowratevoip.exe
• msnmsgr.exe
• opera.exe
• paltalk.exe
• simplite-icq-aim.exe
• simppro.exe
• sipgatexlite.exe
• skype.exe
• skypepm.exe
• voipbuster.exe
• x-lite.exe
• yahoomessenger.exe
The researchers also discovered a 64-bit driver signed using a certificate issued by fictitious CA Goose Cert; 64-bit versions of Windows will not load unsigned drivers. A normal copy of Windows will not accept the fake certificate, meaning the installation process also has to modify Windows’ certificate store. Researchers are still analyzing that process.

It is clear anti-virus software is not going to be able to protect users from state-sponsored Trojans of this type. Anyone with the capability to modify the certificate store will not have difficulty getting around anti-virus software.

The Digitask development team also seems to have cribbed additional rootkit techniques and, in addition to the familiar AppInit technique, appears to have implemented a new method of activating the Trojan library with the target process’ privileges.

Leave a Reply

You must be logged in to post a comment.