[Emerging-Sigs] Sigs for Possible German Governmental Backdoor / R2D2.A (Bundestrojaner)

Mex mail at mare-system.de
Sun Oct 9 07:39:44 EDT 2011


very nice reverse-engineering, if so.
the ccc-website provides some samples to of this malware and it might
be possible to detect and create sigs based on network-traffic
(although talking via port 443 the trojan is not speaking ssl)


http://www.ccc.de/en/updates/2011/staatstrojaner
http://www.ccc.de/de/updates/2011/staatstrojaner
http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf
http://www.f-secure.com/weblog/archives/00002249.html
http://www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html
http://www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545


#
alert tcp 83.236.140.90 any -> $HOME_NET any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2";
flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60;
classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
reference:url,www.f-secure.com/weblog/archives/00002249.html;
reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:2;)

#
alert tcp $HOME_NET any -> 83.236.140.90 any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2";
flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 60;
classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
reference:url,www.f-secure.com/weblog/archives/00002249.html;
reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:2;)

#
alert tcp 207.158.22.134 any -> $HOME_NET any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-1";
flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60;
classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
reference:url,www.f-secure.com/weblog/archives/00002249.html;
reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:3;)

#
alert tcp $HOME_NET any -> 207.158.22.134 any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-1";
flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 60;
classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
reference:url,www.f-secure.com/weblog/archives/00002249.html;
reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:3;)



for the records: i'm still not convinced that this is not a hoax.


mex




More information about the Emerging-sigs mailing list