Federal Trojan's Got A "Big Brother" -- Trojan Update-Button

By Tillmann Werner - Posting #171 - Countermeasure #1

About two weeks ago, the German Chaos Computer Club (CCC) has published an analysis report of a backdoor trojan that they claim had been used by German police during investigations in order to capture VoIP and IM communication on a suspect's PC.

Our friends over at F-Secure published a blog post last week where they wrote about another file that, according to them, seemed to be the dropper component of the trojan. They were kind enough to share the MD5 hash of the file, so we could pull it from our collection. Stefan and I took a closer look.

The dropper carries five other binaries in its resource table, so there are six components in total – each with a different purpose – all of which have been analyzed by us. Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows. Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.

Target Applications

Previous discussions of R2D2 mention Skype as a target application that is monitored by the trojan. The version analyzed by us indicates that Skype is targeted as well, but also all common web browsers, various instant messaging applications and voice-over-ip software, such as ICQ, MSN Messenger, Low-Rate Voip, paltalk, SimpPro, sipgate X-Lite, VoipBuster and Yahoo! Messenger. The list of process names is:

* explorer.exe
* firefox.exe
* icqlite.exe
* lowratevoip.exe
* msnmsgr.exe
* opera.exe
* paltalk.exe
* simplite-icq-aim.exe
* simppro.exe
* sipgatexlite.exe
* skype.exe
* skypepm.exe
* voipbuster.exe
* x-lite.exe
* yahoomessenger.exe

Code injection into target processes is carried out by the dropper, two user-mode components and also a 32 bit kernel driver with extended functionality compared to the version previously analyzed, which only provided an interface for registry and file system modifications.

All target processes we found in the different user-mode components are also covered by the driver.

There are two different DLL injection methods implemented. One works by registering the user-mode library in the Windows registry as an AppInit DLL so that it gets loaded during process creation. The second creates a remote thread in already running processes and injects a piece of position-independent code that maps the mfc42ul.dll file, one of the user-mode modules, into the target process memory.

64 bit Kernel Driver

When the dropper installs the kernel-mode component, it derives the resource name from the architecture (either 32 or 64 bit) and installs an appropriate driver:

Contrary to the 32 bit version, the 64 bit driver does not contain any process infection functionality but only provides a rudimentary privilege escalation interface through file system and registry access. Similar to its brother, it creates a device and implements a basic protocol for communicating with user-mode applications.

It is well known that 64 bit kernel modules must carry a valid digital signature that can be checked by the operating system, or loading the driver fails. The driver that comes with the rootkit contains a 1024 bit RSA certificate (fingerprint e5445e4a 9c7d24c8 43f0c669 e2a8d3a1 78cf7fa8), issued by Goose Cert on April 11, 2010. However, the certificate must be installed and the trustworthiness must be confirmed in order to make the driver load.

All components are detected by Kaspersky as variants of the R2D2 trojan/rootkit. The dropper was previously heuristically detected and blocked by us as an invasive program.

"And Ye Shall Know The Truth And The Truth Shall Set You Free"

WAKE UP AMERICA....ITs OUR COUNTRY!!!

Love "Light" and Energy

_Don

References: Facebook Worm Found to Serve ZeuS - No Smit!

Apple iTunes “Flaw” Allowed Government Spying for 3 Years - Woooo Hoooo

Surveillance Company Says It Sent Fake iTunes, Flash Updates LOL LOL LOL

As Washington Renews Military Threats Against Iran, Cyber Attacks Escalate

Cuba says U.S. behind illegal wireless networks

Anonymous' Fawkes Virus Found on Facebook LOL LOL LOL

Microsoft Issues [Fix it or Unfix it] for Duqu 0-Day Vulnerability in Windows Kernel

China: Don't blame us for U.S. satellite hacks :o

600,000 hacks a day, welcome to Facebook LOL LOL LOL

Example: What happens when ya hit that trojan-update button!

'Government and companies NSA/SAIC/DIA routinely abuse data privacy'

Using Stuxnet and Duqu as Words of Mass Disruption

NSA Open Sources Google Database Mimic

Federal Trojan

Magic Lantern

DODs New Stuxnet 2.0 'Cyber-Surveillance' Malware Threat - :o TOP

Exploit Kits – A Different View

Chaos Computer Club analyzes government malware

More Info on German State Backdoor: Case R2D2

Mass Injection Attack Targets ASP.NET Sites

Widespread LizaMoon Web Attacks Push Rogue Antivirus